Find files containing specific text in Linux

Saturday, October 5, 2019

grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p (globally search a regular expression and print), which has the same effect: doing a global search with the regular expression and printing all matching lines. Grep was originally developed for the Unix operating system, but later available for all Unix-like systems.

grep command syntax

grep "text string to search” directory-path
grep [option] "text string to search” directory-path
grep -r "text string to search” directory-path
grep -r -H "text string to search” directory-path
egrep -R "word-1|word-2” directory-path
egrep -w -R "word-1|word-2” directory-path
Find files containing specific text using grep command examples
 
In this example, we will search for 'PULSEAUDIO_SYSTEM_START' in all configuration files located in /etc directory.
 
Now there's a small problem, depending on your Linux distro, Find command Syntax can be slightly different.
 
*If you know the exact location and directory you're after, then use
root@hackthesec:~# grep "PULSEAUDIO_SYSTEM_START" /etc/default/pulseaudio 
PULSEAUDIO_SYSTEM_START=1
*If you know the exact directory with the files containing that specific text, then use
root@hackthesec:~# grep "PULSEAUDIO_SYSTEM_START" /etc/default/*
grep: /etc/default/kdm.d: Is a directory
/etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1
root@hackthesec:~#
If you don't know the exact location of the file that contains the specific text you’re looking for, then you need to search all sub-directories recursively.
root@hackthesec:~# grep -r "PULSEAUDIO_SYSTEM_START" /etc/default/*
/etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1
root@hackthesec:~#
root@hackthesec:~# grep -R "PULSEAUDIO_SYSTEM_START" /etc/default/*
/etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1
root@hackthesec:~#
Now what if you are searching through a massive file and there might be many outputs similar to what you’re looking for.. you might want to use --col flag to color code your output which searching files containing specific strings.
root@hackthesec:~# grep --col 'usb 1-1.4' /var/log/messages
Apr 4 09:14:25 kali kernel: [1191164.780496] usb 1-1.4: new low-speed USB device number 21 using ehci-pci
root@hackthesec:~#
Now I want to display all files with colorer output with containing specific text and instead of showing the whole content of the files
root@hackthesec:~# grep --col -r 'Linux version 3.14-kali1' /var/log/* | cut -d: -f1
/var/log/dmesg
/var/log/dmesg.0
/var/log/installer/syslog
root@hackthesec:~#
When you're using grep, depending on the commands used and permission you have on the system, you might see any of the following errors.
 
* Input/output error
* recursive directory loop
* No such file or directory
* No such device or address
* Permission denied
 
If you want to hide all errors or warning message spamming your output window(specifically useful when you're trying to use grep on a script) generated by the grep command, append 2>/dev/null to grep command. This will send and hide unwanted output to /dev/null device:
root@hackthesec:~# grep -R "PULSEAUDIO_SYSTEM_START" /etc/* 2>/dev/null 
/etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1
/etc/init.d/pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/init.d/pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc0.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc0.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc1.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc1.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc2.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc2.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc3.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc3.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc4.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc4.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc5.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc5.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
/etc/rc6.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0
/etc/rc6.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then
root@hackthesec:~#
What if you're not sure about the case of the text you're after? You can use -i to ignore case.
 
Below example shows the difference between -i flag. First command didn’t find the text, second command did as we used -i flag to ignore case.
root@hackthesec:~# grep -r "pulseaudio_system_start" /etc/default/*
root@hackthesec:~# 
root@hackthesec:~# grep -i  -r "pulseaudio_system_start" /etc/default/*
/etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1
root@hackthesec:~#
I always prefer using grep command with -r and --col flag in Debian Linux as -r complains less about permissions, files, directory etc. and of course some color helps on the eyes when you’re browsing through many lines.





« Back