I have many XML files as below where i would like to replace a string with a new string. I cannot seem to get the sed command to work on the xml files.
Forcepoint DLP Dashboard - LongTerm
Activity for those with Long-Term Exceptions
Timeframe
-48h@h
now
Macros In Use:
ForcepointApprovedUSB = Known Approved USB Devices
ForcepointKnownCDDVD = Known CD/DVD Drives
ForcepointKnownMultiFunction = Known Multi-Function Devices
ForcepointApprovedUSB),"ApprovedUSB",
(ForcepointKnownCDDVD),"CDDVD",
(ForcepointKnownMultiFunction),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(ForcepointApprovedUSB) AND NOT
(ForcepointKnownCDDVD) AND NOT
(ForcepointKnownMultiFunction),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| fields Username,Check,Justification,Type,ExpireDate
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| dedup Username
| table Time Username Name Justification Type ExpireDate
| sort Name
$TimeFrame.earliest$
$TimeFrame.latest$
none
progressbar
Transfers By Those With Long-Term Exceptions
index=restricted_security
sourcetype=forcepoint
| rex field=_raw "(.*act=(?.*?)\s.*)"
| rex field=_raw "(.*duser=(?.*?)(:\s\d|;|\sfname=).*)"
| rex field=_raw "(.*duser=.*?;\s(?.*?)\sfname=)"
| rex field=_raw "(.*fname=(?.*?)\smsg=.*)"
| rex field=_raw "(.*fname=.:\\\(?.*)(?:\s-\s.*)\smsg=.*)"
| rex field=_raw "(.*suser=(?.*)\scat=.*)"
| rex field=_raw "(.*loginName=.*\\\\(?.*)\ssourceIp=.*)"
| rex field=_raw "(.*sourceIp=(?.*)\sseverityType=.*)"
| rex field=_raw "(.*sourceHost=(?.*)\sproductVersion=.*)"
| rex field=_raw "(.*sourceServiceName=(?.*)\sanalyzedBy=.*)"
| eval Username=lower(Username)
| eval Action=if(isnull(Action),"-",Action)
| eval Serial=if(isnull(Serial),"-",Serial)
| eval EnumDeviceType=case(
(ForcepointApprovedUSB),"ApprovedUSB",
(ForcepointKnownCDDVD),"CDDVD",
(ForcepointKnownMultiFunction),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(ForcepointApprovedUSB) AND NOT
(ForcepointKnownCDDVD) AND NOT
(ForcepointKnownMultiFunction),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_emn_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| dedup Username
| fields Username, Check
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| table Time Username Name Action Source Filename Device Serial EnumDeviceType
| sort -Time
$TimeFrame.earliest$
$TimeFrame.latest$
30
none
The pattern i would like to replace is
index=restricted_security sourcetype=forcepoint
with
index=newname
sourcetype=forcepoint
So any pattern where
index=restricted_security
sourcetype=forcepoint
should be replaced with the new value.
The XML files have many combinations like
index=restricted_security
sourcetype=someother value, index=someindex sourcetype=forcepoint
etc but they don't need to be replaced.
I have tried many patterns like below with many combinations of sed but it does not seem to work
sed 's/index=restricted_security\s\nsourcetype=forcepoint/index=restricted_security sourcetype=forcepoint/g'
Can someone please point out how to get this to replace?
Asked by ranjit abraham
(145 rep)
Oct 10, 2024, 02:45 PM
Last activity: Oct 11, 2024, 02:18 PM
Last activity: Oct 11, 2024, 02:18 PM