In the first part of our series we described how to use find (and locate) to search for files using their names. Today we are going to review how to utilize find in a less common but very useful way. But first a few words on testing (okay, this might not be necessary for everyone, but bear with me!).
1. How to test
It is very important to remember that the find command allows you to create a list of objects having the value of a property the same, greater or smaller then given “n” — which stands for a number of days defined as 24 hours periods, with any frictional part ignored:
- +n – value of file property grater than n,
- n – value of file property the same as n,
- -n – value of file property smaller than n.
2. Search using time related information.
One of the most useful features of find is the ability to separate files based on the time of their creation, access and modification. This is done by the family of “time” tests. In “n” language, 47 hours will be given the same value as 25 hours (n=1). This behaviour can be changed by adding the option “-daystart” (measure time from beginning of today, so “n” for yesterday equals 1 in front of a test. Have a look at these time definitions below:
- -mtime n (Modification TIME) – probably the most useful from time-related tests, allowing to search files based on their modification time. If you want to have a list of all log files modified 2 days ago (or to be precise between 48 and 72 hours ago) you can run:
find /var/log -mtime 2
- -atime n (Access TIME) – the results based on a file’s last access time. If you want to see all logs accessed today you can run:
find /var/log -atime 0
Please remember it might be misleading if you check the file system mounted with option -noatime (which improves performance).
- -ctime n ([status] Change TIME) – this test searches files based on change of status (It means ownership, access privileges or type). For example you want to find which (or any at all) of the files in your home directory have changed status in the last 48 hours (which might indicate problems) you can run:
find ~ -ctime -1
Measuring time in days is not always very handy. Sometimes it is necessary to find more recent changes. To make it possible, the above test has minuets-base equivalents:
- -mmin n – test modification time but in minutes rather than days;
- -amin n – test access time but in minutes rather than days;
- -cmin n – test status change time but in minutes rather than days.
Imagine the following situation: You have downloaded a file under five minutes ago, but you are not sure where you have saved it. You can try the following command:
find ~ -mmin -5
In this scenario mmin can be change to amin or cmin, because all “three times” have the same initial value.
Lastly, there are tests allow you to search files in relation to a property of another file. For example:
- -newer file – returns files modified more recently than the given file,
- -anewer file – return files accessed more recently than the given file,
- -cnewer file – return files with the status changed more recently than for the given file.
For example, the following command will list all files accessed later than file DSCF1002.avi in directory /home/movies:
find /home/movies -anewer DSCF1002.avi
There is also a fourth ‘newer’ test:
- -newerXY reference – which compares timestamp with the given timestamp of the reference file. XY has to be substituted by one or two from the following timestamp type:
- a – access time,
- B – birth (creation) time,
- c – inode status change time,
- m – modification time,
- t – reference is interpreted directly as a time.
Please remember that not all combinations are supported (notable X cannot equal t) and B is not supported on all systems. For example, to get the list of all files accessed in /var/cache later than (in BST) July 20th 10:45:32 2011:
find /var/cache -newerat ‘Jul 20 10:45:32 BST 2011’
To create another list with files modified later than the last access to your .profile file:
find /var/cache -newerma ~/.profile
There is one more test that allows you to search based on a time-related parameter:
- -used n – creates the list of files accessed “n” days after its status was last changed. To find not very often accessed files (let say one month) in /var directory, use this command:
find /var/ -used +30
Appendix. ls and time
You can try to create similar lists with a little help from the ls command. There are three ls commands that correspond to the above find test. They allow you to sort files according to:
- -t – modification time (mtime);
- -u – access time (atime);
- -c – status change time (ctime).
Option -t simply sorts by modification time, but option -u and -c behave different in connection with other options:
- ls -u – sorts by access time (receptively ls -c sorts by status change time);
- ls -ul – shows access time but sorts by name (ls -cl – shows status change time but sorts by name);
- ls -ult – shows and sorts by access time (ls -clt – shows and sorts by status change time).
Monitis is constantly striving to make sysadmin lives easier and more productive. Sometimes, it seems like you do nothing but put out fires…and that leaves you precious little time to attend to bigger, more strategic tasks.
That’s why we keep producing these series of blogs — in the hopes that the information we research and present (like how to protect your network and prevent firewall disasters or eight free tools every sysadmin needs) will make system administration — and life — easier.