In this article you will learn how to find files based on the last time they were accessed, changed or modified.
Table of Contents
- What is the Find Command in Linux?
- Finding Files by Their Timestamp
- The Find Command Syntax
- Find Options Used in This Article
- The Difference Between -[a,c,m]time and –[a,c,m]min Options
- Searching for Files Accessed, Changed or Modified *Exactly* n Time Ago
- Searching for Files Accessed, Changed or Modified *Less* Than n Time Ago
- Searching for files accessed, changed or modified *more* than n time ago.
- Searching for files accessed, changed or modified using two time measurement options
- Bonus: Chaining find with other Linux command
- Conclusion
What is the Find Command in Linux?
The find command is an important command used for searching and locating files and directories within Linux / Unix based systems. This utility will evaluate the passed in expressions and displays the outcome accordingly.
Locating files with the find program can be very flexible and extremely helpful to a degree that average GUI (Graphical user interface) users won’t be able to achieve similar accurate results as efficient.
Users can chain other commands with find to be executed against every item found. Using the find command will allow you to search for files and directories by matching name patterns, by size, by permissions, and also by timestamp.
Finding Files by Their Timestamp
Locating files based on their timestamps can be very useful; the find command provides various options that will help the Linux user to list files by their last accessed, changed or modified within a specified time range (days or minutes) – from the current time of the start of the day –
The time-test options offered by the find command can located files based on the following attributes:
- Access time of the file. The Access time of a file will get updated every time the file is accessed
- Modification time of the file. The Modification time of a file will get updated every time the file content is modified.
- Change time of the file. The Change time of a file will get updated every time the file’s metadata is changed; such as permissions or ownership (triggering the inode number to change)
The Find Command Syntax
find [directory] [options] [criteria, by default = -print] [action]
Find Options Used in This Article
| Option | Description |
|---|---|
-amin n | The last access time of a file was n minutes ago. |
-atime n | The last access time of a file was n*24 hours ago. |
-cmin n | The last time a file has been changed was n minutes ago. |
-ctime n | The last time a file has been changed was n*24 hours ago. |
-mmin n | The last time a file has been modified was n minutes ago. |
-mtime n | The last time a file have been modified was n*24 hours ago. |
-daystart | Starting the time measurement from the start of today rather than 24 hours ago. |
The Difference Between -[a,c,m]time and –[a,c,m]min Options
As discussed before, the find command can locate files based on their timestamps utilizing three attributes:
- Access time:
-atime nand-amin n. - Changed time:
-ctime nand-cmin n. - Modification time:
-mtime nand-mmin n.
The n argument for the -[a,c,m]min options, is meant for the number of minutes (e.g. 10 minutes ago).
The n argument for the -[a,c,m]time options, will be multiply by 24 [hours], which can also be considered as number of days (e.g. n:3 * 24 = 72hours).
We will get to know more about these switch options and how to use them in the next paragraphs.
Searching for Files Accessed, Changed or Modified *Exactly* n Time Ago
For our first example in getting to know more about the find time-test switch options we will run a simple command that will find all files in our home directory that have been accessed 72 hours ago. To do that will use the -atime command option and pass number “3” as argument. Execute the mentioned bellow command and see the result:
sudo find . -type f -atime 3
Note: We have chosen number 3 as a value for the option because the find command will multiply the argument value (n) by 24 which will result in 72 [hours].
Also remember this command will display the accessed files 72 hours ago exactly; not less, not more.
If you want to look for changed or modified files, change the switch option accordingly (-ctime, -mtime).
For the next example, we will look for files that were accessed exactly 72 minutes ago. For this particular case, we will obviously choose the -amin switch option that takes a number of minutes as an argument. Let’s check the following command:sudo find . -type f -amin 72
Note that the f character passed to the -type option means that find looks only for files.
Searching for Files Accessed, Changed or Modified *Less* Than n Time Ago
We can also use the -atime and -amin options to get specific files that have been accessed less than a specified time. Let’s search for files that have been accessed in the last 24 hours (1 day) using the -atime option. To do that, we have to use the “-” symbol before the number (n); check the following:
sudo find . -type f -atime -1
Note that we can also use decimal numbers just as so: 0.5 for a half day (12 hours) and 0.25 for a quarter day (6 hours).
Now let’s search by minutes using -amin; for this example, we will locate files that have been accessed less than the last 20 minutes ago. Remember to use the – symbol to indicate “less than n” ; just as the following:
~ $ sudo find . -type f –amin -20
Searching for files accessed, changed or modified *more* than n time ago.
In this section we will discuss how to look for files accessed more than a specific number of days ago.
So let’s find files that have been accessed more than 5 days ago (Haven’t been accessed at least 5 days ago). To do that we have to prefix the value with the plus symbol +. Check the following:
~ $ sudo find . -type f –atime +5
For better understanding: Suppose a file created in 10/09/2022 then a second file created in day 13, and the current day is 16. If we ran the command to retrieve files that have been accessed more than 5 days ago (+5). It means files accessed before 10/09/2022; we will get the first file but not the second.
For the following example we will use the -amin option to find files accessed more than 30 minutes ago (or haven’t been accessed at least 30 minutes ago). First let’s check the timestamp of the files for better understanding.
~/find_time $ ls -la
total 8 -rw-rw-r-- 1 edxd edxd 0 Sep 4 22:24 hello -rw-rw-r-- 1 edxd edxd 0 Sep 4 21:27 white_walkers -rw-rw-r-- 1 edxd edxd 0 Sep 4 22:24 world -rw-rw-r-- 1 edxd edxd 0 Sep 4 21:27 zombies
Keep in mind that the current time is 22:50, now let’s run our command just as so:
~/find_time $ sudo find . -type f -amin +30
./zombies ./white_walkers
Searching for files accessed, changed or modified using two time measurement options
If you have guessed that you can use the find command to locate using two -atime / -amin options; you are correct. First let’s use the same example before:
~/find_time $ ls -la
total 8 -rw-rw-r-- 1 edxd edxd 0 Sep 4 22:24 hello -rw-rw-r-- 1 edxd edxd 0 Sep 4 21:27 white_walkers -rw-rw-r-- 1 edxd edxd 0 Sep 4 22:24 world -rw-rw-r-- 1 edxd edxd 0 Sep 4 21:27 zombies
Run the following command to print out all files that have been accessed less than 200 minutes ago (Keep in mind that the current time is 23:15)
~/find_time $ sudo find . -type f -amin -200
./zombies ./white_walkers ./hello ./world
If we run the opposite (accessed more than 100 minutes), will get the following results:
~/find_time $ sudo find . -type f -amin +100
./zombies ./white_walkers
Now let’s run the find command using both previous option values to get the files accessed for more than 100 minutes ago and less than 200 minutes ago.
~/find_time $ sudo find . -type f -amin +100 -amin -200
./zombies ./white_walkers
If we ran the opposite of the previous command, that will search for files accessed more than 200 minutes ago (first) and less than 100 minutes ago, we will get nothing, because all files are out of this time range.
~/find_time$ sudo find . -type f -amin +200 -amin -100
Bonus: Chaining find with other Linux command
Another useful way to use the find command especially when locating files based on their timestamps, is to chain it with other Linux commands like the rm command or the chmod command.
We can attain this objective by using the -exec switch option which will execute the specified command against every item that resulted from the search. In this example we will delete the files that the find request will pull.
Check the following command for more understanding:
~/find_time$ sudo find . -type f -daystart -mtime +7 –exec rm {} +
This command will first locate all files in the current directory that haven’t been modified at least seven days ago, then it will run the rm command to delete those files.
The daystart option indicates that we are using the time from the beginning of today and not from the default 24 hours ago.
The curly braces {} are considered the placeholder for the items (file paths) found by the find command. Finally the plus + symbol indicates the end of our command; another way to indicate the end of the command is by using the semicolon as you would do with other programing languages (C#, JS…).
Conclusion
In this article we’ve learned how to use the find command to locate files based on their last time of access, change or modification; not to mention, getting to know the differences between these timestamp attributes.
We also got around to discussing how to set the right n value for the time-test options to be compared either as exact, less or greater than the timestamp. Finally we showed you a simple example of how to chain find with other Linux commands.
