Overview
The find command is a powerful tool used to search for files within a system based on various conditions such as filename, modification time, size, permissions, and ownership. It does more than just locate files; it can also perform bulk actions like deleting, moving, or changing permissions on the search results. This makes it essential for server management, log rotation, and cleaning up unnecessary files.
Specifications (Arguments and Options)
Syntax
find [search-path] [options] [expression] [action]
Main Options (Controlling Search Range)
| Option | Description |
-L | Follow symbolic links during the search. |
-maxdepth <levels> | Specify the maximum depth of directory levels to search (1 searches only the current directory). |
-mindepth <levels> | Specify the minimum depth of directory levels to begin the search. |
Main Expressions (Search Conditions)
| Expression | Description |
-name <string> | Search by filename (supports wildcards). Case-sensitive. |
-iname <string> | Similar to -name, but case-insensitive. |
-type <type> | Search by file type (f: regular file, d: directory, l: link, etc.). |
-size <size> | Search by file size (k: KB, M: MB, G: GB; e.g., +10M for over 10MB). |
-mtime <n> | Search for files modified exactly n days ago (+n: more than n days, -n: within n days). |
-mmin <n> | Search for files modified n minutes ago. |
-atime / -ctime | Search by last access time / status change time (usage is same as mtime). |
-newer <file> | Search for files modified more recently than the specified file. |
-user <user> | Search for files owned by the specified user (ID can also be used: -uid). |
-group <group> | Search for files owned by the specified group (ID can also be used: -gid). |
-perm <mode> | Search for files with specific permissions (e.g., -perm 755). |
-empty | Search for empty files or directories. |
-regex <pattern> | Match the entire path against a regular expression. |
Main Actions (Post-Search Processing)
| Action | Description |
-print | Print the search results (paths) to standard output (default behavior). |
-print0 | Output results separated by a null character (used with xargs -0 for filenames with spaces). |
-ls | Display detailed information in ls -dils format. |
-delete | Immediately delete files that match the search criteria. |
-exec <command> \; | Execute the specified command for each match ({} is replaced by the filename). |
-ok <command> \; | Same as -exec, but prompts for confirmation before execution. |
Basic Usage
The most basic usage is specifying a path and a filename to search.
Command
# Search for files named "hosts" under the /etc directory
find /etc -name hosts
Execution Result
/etc/hosts
/etc/avahi/hosts
Practical Commands
Search for Log Files Using Wildcards
Use partial matches or patterns to narrow down files.
# Search for files starting with "syslog" and ending with any number under /var/log
find /var/log/ -name "syslog.[0-9]*"
Search for Files Owned by a Specific User
This is useful when identifying files left by a former user.
# Search for files owned by "deploy_user" in /home/users
find /home/users/ -user deploy_user
Limit Search Depth
This prevents deep directory exploration and targets only top-level items.
# Search for directories starting with "man" followed by numbers 1-3 directly under /usr/share/man (depth 1)
find /usr/share/man -maxdepth 1 -type d -name "man[1-3]*"
Search and Delete by Modification Time (Cleaning Old Files)
This is used to periodically delete logs older than a specific number of days. Understanding the use of + (older than), - (within), and the number itself is critical.
# Search for log files modified "5 days or more ago," display details, and delete them
# (-exec rm -vf {} \;) passes the found files to the rm command
find ./logs -type f -name "*.log" -mtime +5 -exec rm -vf {} \;
removed './logs/app_20250101.log'
removed './logs/app_20250102.log'
Search Within a Specific Time Range
This extracts files that are older than 2 days but newer than 5 days.
# Display files modified more than 2 days ago AND within 5 days
find . -type f -mtime +2 -mtime -5 -ls
Archive Search Results (Using xargs)
Pipe the search results to xargs to combine them into a single archive with tar. Using -print0 and xargs -0 ensures safe handling of filenames containing spaces.
# Search for all .txt files in the current directory and compress them into a tar.gz
find . -type f -name "*.txt" -print0 | xargs -0 tar cfvz /tmp/text_files_backup.tgz
Customization Points
- Combining Conditions: The default is an AND search, but using
-oallows for OR searches (e.g.,-name "*.jpg" -o -name "*.png"). - Exclusion: Use
!or-notto invert the condition (e.g.,! -name "*.log"to search for everything except log files). - Size Search: Identify large files or clean up small junk files using
-size +100M(larger than 100MB) or-size -1k(smaller than 1KB).
Important Notes
- Server Load: Searching from the root directory (
find / ...) causes significant disk I/O load and can slow down the server. Narrow the search path as much as possible. - mtime Calculation:
-mtime +1means “before the point 24 hours x 1 ago” (effectively 2 days or more). Since this can be unintuitive, testing with dummy files is recommended. - Security in Execution: When using
-exec, special characters in filenames may cause unexpected behavior. Use the-exec ... {} +or-print0 | xargs -0formats whenever possible.
Applications
Create Test Data to Verify Search Behavior
This script creates empty files with spoofed timestamps to verify how mtime works.
# Create empty files dated 12:00 from January 5 to January 9, 2025
for i in $(seq 5 9); do
touch -d "2025-01-0${i} 12:00" "dummy_2025010${i}.txt"
done
# Verify: Search for files older than 7 days
find . -name "dummy_*.txt" -mtime +7
Summary
The find command is one of the most flexible and frequently used tools in Linux administration. It allows for filtering based on attributes like modification time, ownership, and size, and connects those results directly to actions like deletion, movement, or compression. It is recommended to start with basic name searches using -name and gradually move toward automated processing by combining -mtime and -exec.
