A critical tool for doing searches with find is locating files based on time elements.
Linux will track several kinds of timestamps on a file; atime, ctime and mtime. The atime stamp is the last time a file was accessed or read. The ctime stamp is when the file inode was last changed. Each object on the Linux file system has identification information for it which is called an inode. This identification information, or inode, contains information about the object like where it is located on the hard disk, the last time it was modified, permissions, etc.
If you wanted to see the inodes associated with a file issue this command at a terminal:
ls -i
9438324 bigmem 9438332 input 9438325 separators
9438248 cclass 9438336 log.sh 9438209 snmpplugins.sh
9438326 condition 9438334 log.sh_errors 9438329 sum
9438328 count 9438250 lowmem 9438255 test
9438212 daemons 9438327 nmap.sh 9438210 test.sh
9438333 date 9438196 processes 9438193 users
9438330 disksum 9438249 range 9438323 variable
9438254 header 9438251 range_nr 9438331 websum
9438220 highmem 9438253 records
So, ctime is when the inode changes. This change occurs when the contents are changed or when the permissions are changed or when ownership is changed.
Example of time. Here there is a file called “bigmem” which was opend to view contents. You can perform this same test with a file on your system that was previously created. The “-1″ means the time period is less than 24 hours. So you can see the file was accessed in less than 24 hours but the mtime and ctime have not changed.
find /opt/scripts -iname 'bigmem' -atime -1
/opt/scripts/bigmem
find /opt/scripts -iname 'bigmem' -mtime -1
find /opt/scripts -iname 'bigmem' -ctime -1
Check the permissions on the file with ls -l
-rw-r–r– 1 root root 128 Feb 17 10:25 bigmem
Now change permissions.
chmod 755 bigmem
Now you will see the ctime has changed, in other words it is not “created” time, it is when the inode is changed which can be done either with a change of permissions, ownership or a change of content in the file.
find /opt/scripts -iname 'bigmem' -ctime -1
/opt/scripts/bigmem
Change the content of the file and now you will see mtime is also changed.
find /opt/scripts -iname 'bigmem' -mtime -1
/opt/scripts/bigmem
The time periods related to atime, ctime and mtime are also a challenge to get a handle on. The time interval is an integer with the option to indicate a “-” or a “+” sign. The time interval or integer that is used is a 24-hour period starting from the current time. Here are some examples:
The use of an integer with no “-” or “+” means 24-hour periods. So here you can see “0″ means the last 24-hours and the modified script is listed.
find /opt/scripts/ -mtime 0
/opt/scripts/bigmem
This example searches for files modified more than 30 days ago. So the “+” is more than.
find /opt/scripts/ -mtime +30
/opt/scripts/test.sh
/opt/scripts/snmpplugins.sh
/opt/scripts/processes
The “-” means files modified less than 10 days ago.
find /opt/scripts/ -mtime -10
/opt/scripts/bigmem
So you can see that find provides extremely good options in locating files based on time.
{ 2 comments }
I am just learning so this is very useful information. Thank you
One more parameter is very useful -mmin
For example -mmin -5 – files modified last 5 minutes.
Comments on this entry are closed.