Using Time Criteria with find

by mike on March 16, 2011

A critical tool for doing searches with find is locating files based on time elements.

Linux will track several kinds of timestamps on a file; atime, ctime and mtime.  The atime stamp is the last time a file was accessed or read.  The ctime stamp is when the file inode was last changed. Each object on the Linux file system has identification information for it which is called an inode. This identification information, or inode, contains information about the object like where it is located on the hard disk, the last time it was modified, permissions, etc.

If you wanted to see the inodes associated with a file issue this command at a terminal:
ls -i
9438324 bigmem     9438332 input          9438325 separators
9438248 cclass     9438336 log.sh         9438209 snmpplugins.sh
9438326 condition  9438334 log.sh_errors  9438329 sum
9438328 count      9438250 lowmem         9438255 test
9438212 daemons    9438327 nmap.sh        9438210 test.sh
9438333 date       9438196 processes      9438193 users
9438330 disksum    9438249 range          9438323 variable
9438254 header     9438251 range_nr       9438331 websum
9438220 highmem    9438253 records

So, ctime is when the inode changes.  This change occurs when the contents are changed or when the permissions are changed or when ownership is changed.

Example of time.  Here there is a file called “bigmem” which was opend to view contents.  You can perform this same test with a file on your system that was previously created.  The “-1″ means the time period is less than 24 hours.  So you can see the file was accessed in less than 24 hours but the mtime and ctime have not changed.

find /opt/scripts -iname 'bigmem'  -atime -1
/opt/scripts/bigmem

find /opt/scripts -iname 'bigmem'  -mtime -1
find /opt/scripts -iname 'bigmem'  -ctime -1

Check the permissions on the file with ls -l
-rw-r–r– 1 root root  128 Feb 17 10:25 bigmem

Now change permissions.
chmod 755 bigmem

Now you will see the ctime has changed, in other words it is not “created” time, it is when the inode is changed which can be done either with a change of permissions, ownership or a change of content in the file.
find /opt/scripts -iname 'bigmem'  -ctime -1
/opt/scripts/bigmem

Change the content of the file and now you will see mtime is also changed.
find /opt/scripts -iname 'bigmem'  -mtime -1
/opt/scripts/bigmem

The time periods related to atime, ctime and mtime are also a challenge to get a handle on.  The time interval is an integer with the option to indicate a “-” or a “+” sign. The time interval or integer that is used is a 24-hour period starting from the current time. Here are some examples:

The use of an integer with no “-” or “+” means 24-hour periods.  So here you can see “0″ means the last 24-hours and the modified script is listed.
find /opt/scripts/ -mtime 0
/opt/scripts/bigmem

This example searches for files modified more than 30 days ago.  So the “+” is more than.
find /opt/scripts/ -mtime +30
/opt/scripts/test.sh
/opt/scripts/snmpplugins.sh
/opt/scripts/processes

The “-” means files modified less than 10 days ago.
find /opt/scripts/ -mtime -10
/opt/scripts/bigmem

So you can see that find provides extremely good options in locating files based on time.

{ 2 comments }

Kitty Junior March 16, 2011 at 8:20 pm

I am just learning so this is very useful information. Thank you :)

kosta March 16, 2011 at 11:08 pm

One more parameter is very useful -mmin
For example -mmin -5 – files modified last 5 minutes.

Comments on this entry are closed.

Previous post:

Next post: