I have many XML files as below where i would like to replace a string with a new string. I cannot seem to get the sed command to work on the xml files.
<form version="1.1" theme="dark"> <label>Forcepoint DLP Dashboard - LongTerm</label> <description>Activity for those with Long-Term Exceptions</description> <fieldset submitButton="false" autoRun="false"> <input type="time" token="TimeFrame" searchWhenChanged="true"> <label>Timeframe</label> <default> <earliest>-48h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html> <p>Macros In Use:</p> <p>`ForcepointApprovedUSB` = Known Approved USB Devices</p> <p>`ForcepointKnownCDDVD` = Known CD/DVD Drives</p> <p>`ForcepointKnownMultiFunction` = Known Multi-Function Devices</p> </html> </panel> </row> <row> <panel> <title>Exception Info</title> <table> <search> <query>index=restricted_security sourcetype=forcepoint | rex field=_raw "(.*act=(?<Action>.*?)\s.*)" | rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)" | rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)" | rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)" | rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)" | rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)" | rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)" | rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)" | rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)" | rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)" | eval Username=lower(Username) | eval Action=if(isnull(Action),"-",Action) | eval Serial=if(isnull(Serial),"-",Serial) | eval EnumDeviceType=case( (`ForcepointApprovedUSB`),"ApprovedUSB", (`ForcepointKnownCDDVD`),"CDDVD", (`ForcepointKnownMultiFunction`),"MultiFunction", AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth", AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD", AlertType="Endpoint Removable Media" AND Device!="Windows Portable Device (WPD)" AND NOT (`ForcepointApprovedUSB`) AND NOT (`ForcepointKnownCDDVD`) AND NOT (`ForcepointKnownMultiFunction`),"UnApprovedUSB") | join type=inner Username [ search index=restricted_security sourcetype=dlp_lt | rename UserID as Username | eval Check = "Yes" | fields Username,Check,Justification,Type,ExpireDate ] | where isnotnull(EnumDeviceType) AND Check="Yes" | eval Time=strftime(_time, "%B %d, %Y %H:%M %Z") | dedup Username | table Time Username Name Justification Type ExpireDate | sort Name</query> <earliest>$TimeFrame.earliest$</earliest> <latest>$TimeFrame.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Transfers By Those With Long-Term Exceptions</title> <table> <search> <query>index=restricted_security sourcetype=forcepoint | rex field=_raw "(.*act=(?<Action>.*?)\s.*)" | rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)" | rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)" | rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)" | rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)" | rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)" | rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)" | rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)" | rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)" | rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)" | eval Username=lower(Username) | eval Action=if(isnull(Action),"-",Action) | eval Serial=if(isnull(Serial),"-",Serial) | eval EnumDeviceType=case( (`ForcepointApprovedUSB`),"ApprovedUSB", (`ForcepointKnownCDDVD`),"CDDVD", (`ForcepointKnownMultiFunction`),"MultiFunction", AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth", AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD", AlertType="Endpoint Removable Media" AND Device!="Windows Portable Device (WPD)" AND NOT (`ForcepointApprovedUSB`) AND NOT (`ForcepointKnownCDDVD`) AND NOT (`ForcepointKnownMultiFunction`),"UnApprovedUSB") | join type=inner Username [ search index=restricted_emn_security sourcetype=dlp_lt | rename UserID as Username | eval Check = "Yes" | dedup Username | fields Username, Check ] | where isnotnull(EnumDeviceType) AND Check="Yes" | eval Time=strftime(_time, "%B %d, %Y %H:%M %Z") | table Time Username Name Action Source Filename Device Serial EnumDeviceType | sort -Time</query> <earliest>$TimeFrame.earliest$</earliest> <latest>$TimeFrame.latest$</latest> </search> <option name="count">30</option> <option name="drilldown">none</option> </table> </panel> </row> </form> The pattern i would like to replace is
index=restricted_security sourcetype=forcepoint with
index=newname sourcetype=forcepoint So any pattern where
index=restricted_security sourcetype=forcepoint should be replaced with the new value.
The XML files have many combinations like
index=restricted_security sourcetype=someother value, index=someindex sourcetype=forcepoint etc but they don't need to be replaced.
I have tried many patterns like below with many combinations of sed but it does not seem to work
sed 's/index=restricted_security\s\nsourcetype=forcepoint/index=restricted_security sourcetype=forcepoint/g' Can someone please point out how to get this to replace?
/index=newname ...? If it is/index=restricted_security ...it is the same as the text you want to change.sed(like many *nix utilities) is designed to process inputs a line at a time.sedDOES support a hold buffer and other tricks, but that is advanced usage and can be very brittle AND creates a maintenance nightmare. TheGNU seddoes support reading the whole file into the buffer, but then you'll need to get it installed in your production environment (assuming this is a real project) and many organizations won't allow such installations. Also processing the whole file requires superior regex skills. Learn to use python below, or as mentioned above xmlstarlet and others.