Have you ever opened your Linux server and thought, “Where did that file go?” One minute everything looks fine, and the next minute your storage is filling up, your logs are piling up, or your project folder feels impossible to manage.
In moments like these, you don’t want to waste time clicking through directories, you want a fast and clear answer. That’s exactly what the find command in Linux gives you. It helps you search files and folders using simple filters like file name, size, modified time, permissions, and owner.
In this article, you’ll learn real world find examples that admins and developers use daily for troubleshooting, cleaning old files, checking security risks, and keeping servers organized without confusion and without guesswork.
How the Linux find Command Works
GNU find (common on Linux) walks directory trees and tests each entry against expressions (predicates). When a file matches, find executes an action (like printing the path). Expressions are processed left to right with short circuit logic, so ordering matters for performance and correctness.
Basic Syntax and Path Selection
find [PATH...] [OPTIONS] [EXPRESSION] [ACTIONS]Common patterns:
# Search current directory recursively
find . -name "*.log"
# Search multiple paths
find /var/www /home -type f -size +100M
# Limit depth
find /etc -maxdepth 1 -type fPredicates and Actions
- Predicates: -name, -type, -size, -mtime, -user, -group, -perm, -path, -regex, -empty, -links, -inum, -newer
- Logical operators: -and (implicit), -or (-o), -not (!), parentheses ( ) for grouping
- Actions: -print (default), -print0, -ls, -exec, -execdir, -ok, -delete, -printf (GNU)
Most Used find Options (With Short Examples)
- -name/-iname: Match by filename (case-sensitive/insensitive)
- -type: f (file), d (dir), l (symlink), b/c (devices), s (socket), p (FIFO)
- -size: File size using c (bytes), k, M, G with + (more than) or – (less than)
- -mtime/-mmin: Last modification time (days/minutes). Also -atime (access), -ctime (metadata)
- -user/-group: Filter by owner or group
- -perm: Match permission modes (exact or masks)
- -maxdepth/-mindepth: Control recursion depth
- -path/-ipath/-regex: Match entire path (good for directories)
- -prune: Exclude directories efficiently
- -print0 with xargs -0: Null-safe piping for spaces and special characters
# Case-insensitive name match
find /var/www -iname "*.php"
# Only directories named cache
find . -type d -name "cache"
# Files larger than 500 MB
find / -type f -size +500M 2>/dev/null
# Modified in the last 15 minutes
find /var/log -type f -mmin -15
# Owned by nginx user
find /var/www -type f -user nginx
# World-writable files (security check)
find / -type f -perm -0002 2>/dev/null
# Limit recursion
find /etc -maxdepth 1 -type f
# Exclude node_modules directories
find . -type d -name node_modules -prune -o -type f -name "*.js" -print
# NUL-delimited safe piping
find . -type f -print0 | xargs -0 du -shReal World Examples for Admins and Developers
1) Find What’s Eating Disk Space
Quickly surface large files across web roots or home directories to prevent outages caused by full disks.
# Top offenders > 200MB, sorted by size
find /var/www -type f -size +200M -printf "%s %p\n" 2>/dev/null | sort -nr | head -20On macOS/BSD find, -printf isn’t available. Use xargs + ls:
find /var/www -type f -size +200M -print0 2>/dev/null | xargs -0 ls -lhS | head -202) Clean Up Old Logs and Backups
Automate retention to keep storage lean and avoid backup bloat.
# Remove compressed logs older than 14 days (review with -print first!)
find /var/log -type f -name "*.gz" -mtime +14 -print
find /var/log -type f -name "*.gz" -mtime +14 -deleteOr move them to an archive directory:
find /var/log -type f -name "*.log" -mtime +30 -exec mv -t /var/archive/logs {} +3) Security Audits: Permissions and Suspicious Files
# World-writable files (risky on shared hosting)
find /home -xdev -type f -perm -0002 -print
# Setuid / setgid binaries (review carefully)
find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print 2>/dev/null
# PHP files modified in last day (possible webshells after a hack)
find /var/www -type f -name "*.php" -mtime -1 -printSearching for encoded functions often used by malware (couple with grep):
find /var/www -type f -name "*.php" -exec grep -HniE "base64_decode|eval\(" {} \; 2>/dev/null4) Deployments: Files Changed Recently
Verify what changed in a code push or detect hot files.
# Files changed in last 10 minutes
find /var/www/site -type f -mmin -10 -print
# Compare against a reference marker file
touch /tmp/deploy.marker
# ... deploy ...
find /var/www/site -type f -newer /tmp/deploy.marker -print5) Exclude Heavy or Irrelevant Directories
Speed up searches by pruning vendor, cache, and VCS paths.
find . \
-path "./node_modules" -prune -o \
-path "./vendor" -prune -o \
-path "./.git" -prune -o \
-type f -name "*.js" -print6) Find and Fix Broken Symlinks
# Broken links
find /var/www -xtype l -print
# Remove them safely after review
find /var/www -xtype l -delete7) Search by Content (with grep)
# Only PHP files containing "DB_HOST"
find . -type f -name "*.php" -exec grep -Hn "DB_HOST" {} \;
# Faster with xargs; safe for spaces with -print0/-0
find . -type f -name "*.env" -print0 | xargs -0 grep -Hn "SECRET_KEY"8) Prepare File Lists for Backup or Sync
# Archive only images last modified this week
find /var/www/media -type f -mtime -7 \( -iname "*.jpg" -o -iname "*.png" \) -print0 | \
tar --null -T - -czf recent-images.tgzSafe Deletions and -exec Best Practices
- Always test with -print before -delete or -exec.
- Use -ok for interactive confirmation in critical paths.
- Prefer -exec … {} + to batch operations (fewer process spawns).
- Use -print0 and xargs -0 to handle spaces/newlines safely.
- When using -delete on directories, combine with -depth to avoid ordering issues.
# Dry run
find /backups -type f -mtime +30 -print
# Delete after verification
find /backups -type f -mtime +30 -depth -delete
# Batch-remove .tmp files efficiently
find . -type f -name "*.tmp" -exec rm -f {} +Performance Tips for Large Trees
- Start from the closest path (avoid find / unless necessary).
- Use -maxdepth/-mindepth to reduce traversal cost.
- Prune noisy directories: node_modules, vendor, .git, cache, sessions.
- Combine simple name checks before expensive predicates (like -regex or -exec).
- Use -mount to avoid crossing into other filesystems (e.g., /proc, /sys, NFS).
- Prefer -name with globs over -regex for speed.
- Consider locate for instant filename searches if updatedb is enabled. For developers, modern tools like fd or ripgrep can complement find for speed.
GNU find vs. BSD/macOS find Differences
- -printf is GNU-specific; on macOS use -exec stat or xargs ls for formatting.
- -regextype is GNU; BSD find supports different regex defaults.
- -delete behavior and safety may vary; test with -print first.
- On macOS, install GNU find via Homebrew (findutils) as gfind for full GNU features.
Find Command in Hosting and DevOps Workflows
On production servers, the find command underpins routine maintenance: clearing old logs, auditing permissions, finding oversized user uploads, or preparing selective backups. In WordPress hosting, it’s invaluable for cleaning cache directories, locating heavy media, or spotting recently modified PHP files after a suspected compromise.
# WordPress: clear cache older than 12 hours (various plugins)
find /var/www/site/wp-content/cache -type f -mmin +720 -delete
# Identify huge uploads
find /var/www/site/wp-content/uploads -type f -size +50M -printIf you prefer not to manage these tasks yourself, YouStable’s managed VPS and dedicated hosting plans include expert help with server hardening, proactive monitoring, and storage housekeeping. That way you focus on shipping features while we keep your Linux stack clean, fast, and secure.
Troubleshooting and Gotchas
- Quoting: Quote globs in -name to avoid shell expansion (use -name “*.log”, not -name *.log).
- Order matters: find evaluates left-to-right; put cheap tests first and use grouping with parentheses.
- Operators: -o is OR, -a is AND (implicit). Use \( … \) and \! for NOT.
- Spaces in names: Always prefer -print0 | xargs -0 or -exec … {} +.
- -path vs -name: Use -path for directory-based matching (e.g., “*/cache/*”).
- Permissions matching: -perm 0644 is exact; -perm -g+w means “group writable”.
- Cross-filesystems: Use -xdev or -mount to avoid walking /proc, /sys, or network mounts.
FAQ’s
1. What’s the difference between find and locate?
find scans the filesystem live and supports rich filters (size, time, permissions). locate queries a prebuilt database (updatedb) and returns results instantly by name only. Use locate for quick filename lookups; use find for accurate, up to the minute and attribute based searches.
2. How do I exclude a directory from search?
# Exclude specific directories with -prune find . -path "./vendor" -prune -o -type f -print # Exclude multiple find . \( -path "./vendor" -o -path "./node_modules" -o -path "./.git" \) -prune -o -type f -print
3. How can I search by modification time (newer than X)?
# Modified in last 2 days find /var/www -type f -mtime -2 # Newer than a reference file find /var/www -type f -newer /path/to/reference.file
4. How do I perform a case insensitive filename search?
find . -type f -iname "*.jpg" find . -type f -iname "readme.*"
5. What’s the safest way to delete matched files?
First, run without deletion and review output (-print). Then confirm with -ok if needed. For bulk deletion, use -delete only after verifying matches, ideally combined with -depth. Example: find /path -type f -name “*.tmp” -print; then find /path -type f -name “*.tmp” -delete.
Conclusion
The find command in Linux is a core skill for administrators and developers. With precise filters and safe actions, you can locate files, enforce security, reclaim disk space, and automate maintenance confidently.
Apply the examples above to your environment, and consider YouStable’s managed hosting if you want seasoned experts optimizing and safeguarding your servers.
