Listing and Finding Things

This section covers the broad subject of listing files in directories, showing file contents, finding files and finding files that contain specific contents.

tested on Red Hat/Centos v5,v6, v7



listing files

The ls command lists information about files in the current directory by default sorting entries alphabetically by default.

> ls
123   123a123b123  abc   abcde        newbackup12.tar  RA23a123b123  rA23ab123b123
1234  A23a123b123  abcd  backup1.tar  newbackup1.tar   rA23a123b123  src

This command comnes with many useful switches. Here are some examples...

  • ls -l listing in long form, shows file or directory, size, modified date and time, file or folder name and owner of file and it’s permission.
  • ll this is a shortcut command for the above. I almost always use this version of the command.
  • ls -l /etc same as above, except displays for specified directory /etc
  • ls -lh shows sizes in human readable format.
  • ll -a list all files including hidden file starting with a period.
  • ll -F adds the ‘/’ Character at the end each directory, an asterisk for executables, and an at sign (@) for linked files
  • ll -R option will list very long listing directory trees.
  • ll -t sort by time file was created
wildcards with ls/ll

A wildcard is a character that can be used as a substitute for any one or more character in a search, thereby greatly increasing the flexibility and efficiency of searches. The star wildcard can represent zero, one or many characters.

list all files that contain word backup and end with ".tar"

ll *backup*.tar
-rw-r--r--. 1 root root 0 Sep 24 18:59 backup1.tar
-rw-r--r--. 1 root root 0 Sep 24 18:59 newbackup12.tar
-rw-r--r--. 1 root root 0 Sep 24 18:59 newbackup1.tar

Pattern matching with ll/ls

all files that start with lowercase or uppercase "r"

ll [rR]*

all files that contain "a" with a "b" immediately afterwards

ls *[a][b]*

all files that contain "a" with a "b" somewhere afterwards

ls *[a]*[b]*

all files that contain ANY of characters 2016 in /var/log/.

# ll -l  /var/log/*[2016]*
-rw-------. 1 root root   9012 Sep 20 03:21 /var/log/cron-20160920
-rw-------. 1 root root   1584 Sep 20 01:03 /var/log/maillog-20160920
-rw-------. 1 root root 738281 Sep 20 03:21 /var/log/messages-20160920
-rw-------. 1 root root      0 Sep 15 01:15 /var/log/spooler-20160920
-rw-r--r--. 1 root root      0 Sep 22 20:24 /var/log/serviceA-1
-rw-r--r--. 1 root root      0 Sep 22 20:24 /var/log/serviceB-160101
-rw-r--r--. 1 root root      0 Sep 22 20:23 /var/log/serviceC-16200101





tree

The tree command lists the contents of directories in a tree-like format. tree is a recursive directory listing program that produces a depth indented listing of files. tree may not be installed in every distribution. Use yum install tree to install.

> tree /etc  | more
/etc
├── adjtime
├── aliases
├── aliases.db
├── alternatives
│   ├── ld -> /usr/bin/ld.bfd
│   ├── libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│   ├── mta -> /usr/sbin/sendmail.postfix
│   ├── mta-aliasesman -> /usr/share/man/man5/aliases.postfix.5.gz
│   ├── mta-mailq -> /usr/bin/mailq.postfix
│   ├── mta-mailqman -> /usr/share/man/man1/mailq.postfix.1.gz
│   ├── mta-newaliases -> /usr/bin/newaliases.postfix
│   ├── mta-newaliasesman -> /usr/share/man/man1/newaliases.postfix.1.gz
│   ├── mta-pam -> /etc/pam.d/smtp.postfix
│   ├── mta-rmail -> /usr/bin/rmail.postfix
│   ├── mta-sendmail -> /usr/lib/sendmail.postfix
│   └── mta-sendmailman -> /usr/share/man/man1/sendmail.postfix.1.gz
├── anacrontab
├── asound.conf
├── audisp
│   ├── audispd.conf
│   └── plugins.d
│       ├── af_unix.conf
│       └── syslog.conf
├── audit
...





stat - display formatted file details

The Linux stat command is a tool that can be used for displaying detailed information relating to a file or file system on a Linux system. By default the stat command should be available on most distributions of Linux.

The simplest use of the stat command is to pass the name of a file to the command. In the example below you can see the default output from the stat command. Basic information such as size, file type, Inode information, Number of links, Access, Modification and Change date and time stamps are displayed. The stat command is often used to view Modification/access times on a file. (A more detailed way of displaying creation time and access time stamps on a file is to use the debugfs command)

> stat /etc/passwd
  File: ‘/etc/passwd’
  Size: 1307            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 16784286    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:passwd_file_t:s0
Access: 2015-11-24 15:16:38.826200796 -0500
Modify: 2015-11-18 15:38:59.975483707 -0500
Change: 2015-11-18 15:38:59.977650390 -0500
 Birth: -

Use the -f option to report status of a filesystem

> stat -f /dev/sda1
  File: "/dev/sda1"
    ID: 0        Namelen: 255     Type: tmpfs
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 122009     Free: 122009     Available: 122009
Inodes: Total: 122009     Free: 121595

Using stat with --format to generate a listing similar to the Linux llcommand

where:
--format or -c - custom format
%A - access rights in human readable format
%h - Number of hard links
%U - User name of owner
%G - Group name of owner
%s - Total size, in bytes
%.16y - Time of last modification
%n File name
> stat --format "%A %h %U %G %s %.16y %n" /var/*
drwxr-xr-x 2 root root 6 2016-11-05 11:38 /var/adm
drwxr-xr-x 5 root root 44 2017-11-05 07:12 /var/cache
drwxr-xr-x 2 root root 6 2017-10-19 17:03 /var/crash
drwxr-xr-x 3 root root 34 2017-11-18 16:30 /var/db
-rw-r--r-- 1 user1 user2 0 2017-11-25 07:34 /var/test
...

Use %C to get SELinux security context information

> stat --format "%n %A %C" /var/*
/var/adm drwxr-xr-x system_u:object_r:var_t:s0
/var/cache drwxr-xr-x system_u:object_r:var_t:s0
/var/crash drwxr-xr-x system_u:object_r:kdump_crash_t:s0
/var/db drwxr-xr-x system_u:object_r:system_db_t:s0
/var/empty drwxr-xr-x system_u:object_r:var_t:s0

...




find

The find command allows you to search for files in a directory hierarchy. It can be slower than locate command so it is best to specify directory if you know where your file may be located.

Some useful switches

The find command has many switches and options. These include:

  • find / -name string - Base of file name matches shell pattern. Can use metacharacters including '*', '?', and '[]'.
  • find / -iname string - Like -name, but the match is case insensitive.
  • find / -type f string - More common type of things we search for include : f (file), d (directory), s (socket)
  • find / -mtime integer string - File's data was last modified n*24 hours ago.
  • find / -group - file belongs to a specific group
  • find / -maxdepth integer - look only specific number of directories deep

processing results of a find

If you run find with exec, {} expands to the filename of each file or directory found with find (so that ls in your example gets every found filename as an argument - note that it calls ls or whatever other command you specify once for each file found).

Semicolon ; ends the command executed by exec. It needs to be escaped with \ so that the shell you run find inside does not treat it as its own special character, but rather passes it to find.


Examples

1. Find all files with called profile. The find command atomatically assumes that you want to search recursively

>  find / -name profile
/etc/lvm/profile
/etc/profile

2. Find all file names starting with phrase prof in /etc directory. -iname allows you to ignore case

> find /etc -iname 'prof*'

3. Find all files (type f) modified in year 2015

this finds all files, displays by date & file name, then greps for string 2015 only.
stat helps us format the file information where
%y specifies date/time of last modification
%n specifies complete file and directory name

> find /var -type f -exec stat -c "%y %n " {} \; | grep 2015

4. For directories, change type file(f) to type directory (d).

> find /var -type d -exec stat  -c "%y %n " {} \; | grep 2015

5. find and copy

> find /home/user1/ -name 'test*' -exec cp {} /home/user2  \;

6. Files in /hom/ modified in last 31 days

> find / -mtime -31  -type f -exec stat -c "%A %h %U %G %s %.16y %n " {} \;
-rw-rwxr-- 1 root root 0 2015-11-16 18:35 /home/file1
-rw-r--r-- 1 root root 0 2015-11-16 20:20 /home/dir1/file1
----rwx-w- 1 root root 0 2015-11-18 03:31 /home/file22

7. Files modified in last 30 minutes

> find / -mmin -30  -type f -exec stat  -c "%y %n " {} \;

8. Find files that contain string "ifcfg-" up to 4 directory layers down

> find / -maxdepth 4  -name '*ifcfg-*'



locate

locate is similar to find, but is based on a database. It has to be installed from repository for RedHat/Centos 7. locate reads one or more databases prepared by updatedb and writes file names matching pattern requested

Install locate

> yum install mlocate

Update locate database

> updatedb

Using locate to find file name

>  locate ifcfg-ens33
/etc/sysconfig/network-scripts/ifcfg-ens33

Using locate to find substring of name and directory

>  locate scripts/ifcfg-
/etc/sysconfig/network-scripts/ifcfg-Myhome1
/etc/sysconfig/network-scripts/ifcfg-Myhome1-1
/etc/sysconfig/network-scripts/ifcfg-ens33
/etc/sysconfig/network-scripts/ifcfg-lo



Listing files: cat, more, less, head, & tail

These are several commands used to view content of text files in Linux.

  • cat displays an entire file. Can be used to join multiple files together and print the result on screen
  • more view a text file one page at a time, press spacebar to go to the next page
  • less same as more command except you can navigate the page up/down using the less command
  • head displays the first ten lines of a file, unless otherwise stated.
  • tail display the last part of the file. Option to follow file in real time.

Examples:

# cat myfile.txt
# more myfile.txt
# less myfile.txt
# head -10 myfile.txt
# tail myfile.txt

Notably the -f (follow) option on the tail command, allows you to view log files in real time.

# tail -f /var/log/mylog.txt
# tail -F /var/log/mylog.txt


grep - searching for text

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression. Its name comes from the ed command g/re/p (globally search a regular expression and print), which has the same effect: doing a global search with the regular expression and printing all matching lines.


Some basic grep examples

look for the string test in myfile.txt using grep

> grep 'test' myfile.txt
this is a test
another line with test

This is another approach. Look for the string test in myfile.txt using cat and grep

> cat myfile.txt | grep 'test' myfile.txt
this is a test
another line with test

look for the string test in directory /home< and subdirectories

> grep -r 'test' /home
this is a test
another line with test

look for the lines that don't contain the word test using the invert-match (-v) switch

> grep -v 'test' myfile.txt

look for the string 'test' in myfile.txt - case insensitive (checks for both upper and lower case)

> grep -i 'TeSt' myfile.txt

look for the string 'all' in /home directory and sub-directories (recursive) using -R or -r

> grep -r 'all' /home

look for the full word 'all' in /home directory. Full word has space before and after

> grep -w 'all' /home

count number of lines that contain match from output grep command using wc command

> grep 'test' myfile.txt | wc -l
2

add line numbers (n)

> grep -n 'test' myfile.txt
1:this is a test
2:another line with test

show 2 lines after line or lines found. Here we use the A switch for lines after. Use B for lines before.


> grep -nA 2 'test' myfile.txt
1:this is a test
2-another line
3-another line
--
5:another line with test
6-the quick cat jobs over the lazy dog
7-TEST UPPER CASE

grep with regex syntax

some regex syntax

^       - starts with  
$       - ends with  
.       - anycharacter 
*       - the preceding item will be matched zero or more times
?       - the preceding item will be matched one or more times 
-       - turn off the special meaning of the next character
[]      - match any one of the enclosed characters
\{x,y\}	-	match x to y occurrences of the preceding.
\{x\}	-	match exactly x occurrences of the preceding.
\{x,\}	-	match x or more occurrences of the preceding.

find lines that start with 123

grep '^123' myfile.txt

lines that end with 123

grep '123$' myfile.txt

lines that start with 123 and end with the same 123

grep -E '^123$'

lines that does not contain 123

grep -v '123' myfile.txt

find any lines containing number 0 to 9 or a to z in any file in current directory

grep '[0-9a-z]' *

find any lines containing five number (0 to 9) in any file in current directory

grep '^[0-9]\{5\}$' *

show lines which does not begin with '#' or ';'

grep '^[^#;]' /etc/httpd/conf/httpd.conf

show line if it begins with one to six numbers (0 to 999999) with nothing afterwards

grep '^[0-9]\{1,6\}$' myfile.txt

Word boundaries: find matches with space before and after. Here we will find the but not there

grep -i "\bthe\b" myfile.txt

find USA, United-States or united-states

grep 'USA\|\([Uu]nited\( \|\-\)[Ss]tates\)' * 

character class syntax

[:digit:] 	Only the digits 0 to 9
[:alnum:] 	Any alphanumeric character 0 to 9 OR A to Z or a to z.
[:alpha:] 	Any alpha character A to Z or a to z.
[:blank:] 	Space and TAB characters only.

show lines with one or more digits

grep [[:digit:]] myfile.txt

pipe to grep

pipe list of processes into grep command and search for any process that contains the string http

ps -A | grep http

list all files in all directories and look for string 2015

ls -R / | grep 2015


egrep - Extended grep

egrep is the same as grep but permits some advanced regular expression functionality. egrep functions can be obtained using egrep command or grep with -E switch.


look for the lines that contain test or abc

> egrep  'test|abc' myfile.txt
> grep -E  'test|abc' myfile.txt


sed - the Linux Stream Editor

sed is a powerful tool or command used for efficient text processing in Unix.

Suppress all lines containing the string test

cat myfile.txt | sed -e '/test/d'

This is similar to the match-inverse switch with grep

grep -v 'test' myfile.txt

Checking configuration files

Apache configuration
# vi /etc/httpd/conf/httpd.conf



Checking logs

Various Apache logs
# vi /var/log/httpd/error_log
# vi /var/log/httpd/php_error_log
# vi /var/log/httpd/ssl_access_log
# vi /var/log/httpd/ssl_error_log
# vi /var/log/httpd/ssl_request_log

Checking configuration files

Apache configuration
# vi /etc/httpd/conf/httpd.conf



Checking logs

Various Apache logs
# vi /var/log/httpd/error_log
# vi /var/log/httpd/php_error_log
# vi /var/log/httpd/ssl_access_log
# vi /var/log/httpd/ssl_error_log
# vi /var/log/httpd/ssl_request_log