Real-Time File Searching with find

The find command performs an exhaustive, real-time traversal of the filesystem hierarchy, evaluating files based on specified criteria.

Search Criteria

• Name Matching: -name for case-sensitive matches and -iname for case-insensitive matches.

  find /usr/local -name "*.cfg"
  find ./config -iname "settings"
  

• Ownership: -user and -group filter by file owner or group.

  find /opt -user admin
  find /var -group devops
  

• File Type: -type specifies the category (f: regular file, d: directory, l: symbolic link, b: block device, c: character device, p: pipe).

  find ./logs -type f
  find ./data -type d
  

• File Size: -size with + (greater than), - (less than), or exact values.

  find /var -size -50k
  find /backup -size +2M
  

• Modification Time: -mtime (days) and -mmin (minutes). A leading - means within the period, while + means older than the period.

  find /srv -mtime -2 -name '*.yaml'
  find /etc -mmin +60
  find /tmp -mmin -15 -type d
  

• Depth Control: -mindepth and -maxdepth restrict the traversal depth.

  find /var/log -mindepth 2 -name '*.log'
  find /opt -maxdepth 1 -type f
  

• Permissions and Orphaned Files: -perm checks mode bits, while -nouser and -nogroup locate files without valid owner or group entries.

  find ./www -perm 755
  find /tmp -type f -nouser
  find /tmp -type f -nogroup
  

• Excluding Paths: Combine -path with -prune to omit directories from the search.

  find / -path /proc -prune -o -path /sys -prune -o -type f -print
  find / -path /var/cache -prune -o -type f -user admin -print
  

• Comparing Timestamps: -newer finds files modified more recently than a reference file.

  find /etc -newer /etc/hostname
  

Logical Operators

Criteria can be combined using -a (AND), -o (OR), and ! or -not (NOT).

find . ! -user admin
find . -type f -a -user admin -a -size +500c
find . -type f -a \( -user admin -o -name '*.xml' \)

Executing Actions

By default, find prints results (-print). The -exec flag applies an external command to matched files, while -ok prompts for confirmation first.

# Delete large temporary files
find /tmp -type f -name "*.tmp" -size +5k -exec rm -f {} \;

# Remove old archive logs
find /var/log/archives -name "*.gz" -mtime +14 -exec rm -rf {} \;

# Copy matched configuration files to a backup directory
find /opt/app -type f -name "*.conf" -exec cp {} /backup/conf/ \;

# Prompt before deleting files
find ./staging -type f -ok rm -f {} \;

Rapid Lookup with locate

The locate command queries a pre-constructed database (typically /var/lib/mlocate/mlocate.db), making it significantly faster than find. However, it cannot detect files created after the last database update.

# Update the database manually
sudo updatedb

# Partial match searching
locate settings.cfg

Because it relies on a scheduled index, newly created files remain invisible to locate until updatedb runs.

Binary and Documentation Lookup

whereis

whereis returns the source, binary, and manual page locations for a command.

# Retrieve all related paths
whereis nginx

# Limit to binaries only
whereis -b nginx

# Limit to manual pages only
whereis -m nginx

which

which identifies the exact executable path invoked by the shell environment.

which docker

Utility Selection Strategy

• find: Ideal for complex queries requiring precise criteria (size, permissions, modification time) and real-time accuracy. It is powerful but slower on large directories.
• locate: Best suited for quickly locating single files by name when real-time precision is not strictly required.
• whereis: Useful for finding program-related files like binaries and documentation.
• which: The standard choice for determining the absolute path of an executable currently active in the shell.