Linux Search Mastery - The Complete Arsenal

# Network outage, SSH to production RHEL 7 server
# CTO watching your screen share
$ rg "error" /var/log/

-bash: rg: command not found

$ fd "*.log"

-bash: fd: command not found

# Fumble with grep syntax
$ grep "error" /var/log/

grep: /var/log/: Is a directory

# More fumbling, losing credibility
# "Why don't you know basic Linux commands?"

# Same situation
# Immediately type with confidence:
$ grep -r "error" /var/log/ 2>/dev/null | head -20

# Then refine:
$ find /var/log -type f -name "*.log" -mtime -1 -exec grep -l "error" {} \;

# Directors impressed:
# "How did you find that so fast?"
# You: "Standard tools. Works anywhere."

# Your Arch laptop, fully equipped
rg "pattern"

fd "*.py"

fzf

# Any production server, minimal install
grep -r "pattern" .

find . -name "*.py"

# Add fzf-like with awk/sed if needed

grep [OPTIONS] PATTERN [FILE...]

# Case insensitive
grep -i "pattern" file.txt

# Recursive search (directories)
grep -r "pattern" /path/

# Recursive + follow symlinks
grep -R "pattern" /path/

# Show line numbers
grep -n "pattern" file.txt

# Show only filenames with matches
grep -l "pattern" *.txt

# Show only filenames WITHOUT matches
grep -L "pattern" *.txt

# Count matching lines
grep -c "pattern" file.txt

# Invert match (lines NOT matching)
grep -v "pattern" file.txt

# Show context (3 lines before and after)
grep -C 3 "pattern" file.txt

# Context before only
grep -B 3 "pattern" file.txt

# Context after only
grep -A 3 "pattern" file.txt

# Extended regex (ERE)
grep -E "pattern1|pattern2" file.txt

# Fixed string (literal, no regex)
grep -F "literal.string" file.txt

# Whole word match only
grep -w "word" file.txt

# Multiple patterns
grep -e "pattern1" -e "pattern2" file.txt

# Pattern from file
grep -f patterns.txt file.txt

# Quiet mode (exit code only, no output)
grep -q "pattern" file.txt && echo "Found"

# Max count (stop after N matches)
grep -m 10 "pattern" huge_file.log

# Suppress errors (permission denied, etc.)
grep -s "pattern" /protected/dir/*

# Binary files as text
grep -a "pattern" binary_file

# Show filename with matches (default for multiple files)
grep -H "pattern" file.txt

# Suppress filename
grep -h "pattern" *.txt

# Color output (auto = only if terminal)
grep --color=auto "pattern" file.txt

# Color always (even when piped)
grep --color=always "pattern" file.txt | less -R

# Use -F for literal strings (faster)
grep -F "exact.string.no.regex" huge_file.log

# Use -m to stop after N matches
grep -m 1 "pattern" huge_file.log

# Binary files: skip with -I
grep -rI "pattern" .

# Or treat as text with -a
grep -a "pattern" binary_file

# Limit to specific file types
grep -r --include="*.log" "pattern" /var/log/

# Exclude binary files automatically
grep -rI "pattern" .

# ❌ WRONG: Not escaping special characters
grep "192.168.1.1" file.txt

# ✅ RIGHT: Escape dots
grep "192\.168\.1\.1" file.txt

# ❌ WRONG: Forgot quotes with spaces
grep error message file.txt

# ✅ RIGHT: Quote the pattern
grep "error message" file.txt

# ❌ WRONG: Using cat unnecessarily
cat file.txt | grep "pattern"

# ✅ RIGHT: grep can read files directly
grep "pattern" file.txt

# ❌ WRONG: Recursive on file
grep -r "pattern" file.txt

# ✅ RIGHT: Just grep the file
grep "pattern" file.txt

find [PATH...] [EXPRESSION]

# Find by name (case-sensitive)
find . -name "*.log"

# Find by name (case-insensitive)
find . -iname "*.LOG"

# Find by type
find . -type f

find . -type d

find . -type l

find . -type b

find . -type c

find . -type p

find . -type s

# Find by size
find . -size +100M

find . -size -1k

find . -size 50M

find . -size +1G

# Find by modification time
find . -mtime -7

find . -mtime +30

find . -mtime 7

# Find by access time
find . -atime -1

# Find by change time (metadata)
find . -ctime -7

# Find by modification minute
find . -mmin -60

find . -mmin +120

# Find by user
find . -user root

find . -user $(whoami)

# Find by group
find . -group wheel

# Find by permissions (exact)
find . -perm 755

find . -perm u=rwx,g=rx,o=rx

# Find by permissions (at least)
find . -perm -u+w

find . -perm -g+w

# Find by permissions (any of)
find . -perm /u+w,g+w

# Find empty files/directories
find . -empty

# Find by inode
find . -inum 12345

# Find by number of links
find . -links +2

# Find newer than file
find . -newer reference_file.txt

# Find not newer than file
find . ! -newer old_file.txt

# Print results (default)
find . -name "*.txt" -print

# Print with null delimiter (for xargs -0)
find . -name "*.txt" -print0

# Custom print format
find . -printf "%p %s bytes\n"

find . -printf "%T+ %p\n"

# List files (like ls -l)
find . -name "*.sh" -ls

# Execute command on each result
find . -name "*.tmp" -exec rm {} \;

# Execute with confirmation
find . -name "*.tmp" -ok rm {} \;

# Execute command with all results at once
find . -name "*.txt" -exec grep "pattern" {} +

# Delete files (DANGEROUS)
find . -name "*.tmp" -delete

# Put most restrictive tests first
# ❌ SLOW
find / -type f -name "*.log" 2>/dev/null

# ✅ FASTER
find / -name "*.log" -type f 2>/dev/null

# Use -prune to skip directories early
# ❌ SLOW (searches all of /proc)
find / -name "*.txt" 2>/dev/null

# ✅ FASTER (skips /proc entirely)
find / -path "/proc" -prune -o -name "*.txt" -print 2>/dev/null

# Limit search depth
find . -maxdepth 3 -name "*.txt"

# Use -print0 with xargs -0 for safety and speed
find . -name "*.log" -print0 | xargs -0 grep "error"

# ❌ WRONG: Forgot quotes with wildcards
find . -name *.txt

# ✅ RIGHT: Quote the pattern
find . -name "*.txt"

# ❌ WRONG: Wrong syntax for OR
find . -name "*.txt" -o "*.log"

# ✅ RIGHT: Use -o correctly
find . \( -name "*.txt" -o -name "*.log" \)

# ❌ WRONG: exec without \;
find . -name "*.tmp" -exec rm {}

# ✅ RIGHT: Terminate with \;
find . -name "*.tmp" -exec rm {} \;

# ❌ WRONG: Using -delete carelessly
find / -name "*.tmp" -delete

# ✅ RIGHT: Test first with -print
find / -name "*.tmp" -print

# Find files by name
locate filename

# Case insensitive
locate -i filename

# Count results
locate -c "*.log"

# Show only existing files
locate -e "pattern"

# Limit results
locate -l 20 "pattern"

# Use regex instead of pattern
locate -r "pattern"

# Show statistics
locate -S

# Update database (as root)
sudo updatedb

# Update and see progress
sudo updatedb -v

# Force update of specific path
sudo updatedb -U /path/to/scan

# Find by exact filename
locate -b '\filename.txt'

# Find in specific directory
locate "/etc/*.conf"

# Find recently modified (if database is fresh)
locate -e --regex ".*\.log$"

# Case insensitive search
locate -i readme

# Exclude paths
locate "*.txt" | grep -v "/tmp/"

# Count files by type
locate "*.sh" | wc -l

# Find and execute
locate "*.pdf" | head -10 | xargs -I {} ls -lh {}

# ❌ locate database may be out of date
locate newly_created_file.txt

# ✅ Solution: Update database first
sudo updatedb

locate newly_created_file.txt

# ❌ locate doesn't search by file attributes
locate -size +100M

# ✅ Solution: Use find for attribute searches
find / -size +100M 2>/dev/null

command1 | xargs [OPTIONS] command2

# Use -P for parallel processing
find . -name "*.log" -print0 | xargs -0 -P 4 gzip

# Batch arguments for efficiency
find . -name "*.txt" | xargs -n 100 command

# Use -0 with find -print0 (handles all edge cases)
find . -type f -print0 | xargs -0 command

# Show commands before running (testing)
find . -name "*.tmp" | xargs -t rm

# ❌ WRONG: Not handling spaces in filenames
find . -name "*.txt" | xargs rm

# ✅ RIGHT: Use null delimiter
find . -name "*.txt" -print0 | xargs -0 rm

# ❌ WRONG: Placeholder without -I
find . -name "*.txt" | xargs mv {} /backup/

# ✅ RIGHT: Use -I with placeholder
find . -name "*.txt" | xargs -I {} mv {} /backup/

# ❌ WRONG: Dangerous default behavior
cat filelist.txt | xargs rm

# ✅ RIGHT: Use -r to prevent running on empty input
cat filelist.txt | xargs -r rm

# Or better: Use find
find . -name "pattern" -print0 | xargs -0 rm

# Arch
sudo pacman -S ripgrep

# Ubuntu/Debian
sudo apt install ripgrep

# macOS
brew install ripgrep

# From source
cargo install ripgrep

# Search current directory recursively
rg "pattern"

# Search specific file
rg "pattern" file.txt

# Search specific directory
rg "pattern" /var/log/

# Case insensitive
rg -i "pattern"

# Smart case (case-insensitive if all lowercase)
rg -S "Pattern"

# Whole word
rg -w "word"

# Show line numbers (default)
rg -n "pattern"

# No line numbers
rg -N "pattern"

# Show context (3 lines before and after)
rg -C 3 "pattern"

# Context before
rg -B 3 "pattern"

# Context after
rg -A 3 "pattern"

# Count matches
rg -c "pattern"

# List files with matches
rg -l "pattern"

# List files without matches
rg --files-without-match "pattern"

# Only show filenames
rg --files

# Search hidden files
rg --hidden "pattern"

# Search .gitignore'd files too
rg --no-ignore "pattern"

# Search by file type
rg -t py "pattern"

rg -t sh "pattern"

rg -t md "pattern"

# Exclude file type
rg -T py "pattern"

# Search specific extension
rg -g "*.log" "pattern"

# Multiple patterns (OR)
rg -e "error" -e "warning"

# Fixed strings (no regex)
rg -F "literal.string"

# Multiline search
rg -U "pattern.*\n.*pattern2"

# Replace (preview)
rg "old" -r "new"

# JSON output
rg --json "pattern"

# grep command
grep -r "error" /var/log/ --include="*.log" --color=auto

# ripgrep equivalent (simpler)
rg "error" /var/log/ -t log

# Performance
time grep -r "pattern" large_dir/

time rg "pattern" large_dir/

# Parallel search (default, uses all cores)
rg "pattern"

# Limit threads
rg --threads 4 "pattern"

# Memory map files (faster for large files)
rg --mmap "pattern"

# Sort results by file path
rg --sort path "pattern"

# Limit search to N results
rg -m 100 "pattern"

# Create ~/.ripgreprc
cat > ~/.ripgreprc << 'EOF'
# Always show line numbers
--line-number

# Smart case by default
--smart-case

# Follow symlinks
--follow

# Always use context
--context=2

# Use better colors
--colors=match:fg:blue
--colors=line:fg:yellow
EOF

# Use config file
export RIPGREP_CONFIG_PATH=~/.ripgreprc

# Smart fallback function
search() {
    if command -v rg &>/dev/null; then
        rg "$@"
    else
        # Translate common rg flags to grep
        grep -r --color=auto "$@"
    fi
}

# Use in scripts
search "error" /var/log/

# Or alias
alias search='if command -v rg &>/dev/null; then rg; else grep -r --color=auto; fi'

# Top 10 largest files in /var
find /var -type f -printf "%s\t%p\n" 2>/dev/null | sort -rn | head -10

# Failed SSH logins
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn

# Find files modified in last hour
find / -type f -mmin -60 2>/dev/null | head -50

# Suspicious cron jobs
grep -r "curl.*sh\|wget.*sh" /var/spool/cron/ /etc/cron* 2>/dev/null

# Open network connections
netstat -tupan | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u

# Processes using most CPU (if no top)
ps aux | sort -nrk 3,3 | head -10

# Processes using most memory
ps aux | sort -nrk 4,4 | head -10

# Disk usage by directory
du -h --max-depth=1 / 2>/dev/null | sort -rh | head -20

# Find executable files in tmp
find /tmp /var/tmp /dev/shm -type f -executable 2>/dev/null

# Extract emails from files
grep -roE "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" . | cut -d: -f2 | sort -u

# 1. Check load average
uptime

# 2. Top processes
ps aux | sort -nrk 3,3 | head -5

# 3. Disk usage
df -h | grep -v "tmpfs\|devtmpfs"

# 4. Largest directories
du -h / --max-depth=1 2>/dev/null | sort -rh | head -10

# 5. Recent errors in logs
find /var/log -type f -mtime -1 -exec grep -l "error\|exception" {} \; | head -5

# 6. Check network connections
netstat -tupan | grep ESTABLISHED | wc -l

# 7. Find large files created recently
find /var -type f -size +100M -mtime -1 -ls 2>/dev/null

# Find all Python files, count functions, show top 10
find . -name "*.py" -print0 | \
  xargs -0 grep -c "^def " | \
  sort -t: -k2 -rn | \
  head -10

# Find IPs with >100 failed logins, resolve hostnames
grep "Failed password" /var/log/auth.log | \
  awk '{print $(NF-3)}' | \
  sort | \
  uniq -c | \
  awk '$1 > 100 {print $2}' | \
  while read ip; do
    echo -n "$ip "
    host $ip 2>/dev/null | awk '{print $NF}'
  done

# Find suspicious files: world-writable, recently modified, executable
find / -type f \( -perm -002 -o -perm -020 \) \
  -mtime -7 \
  -executable \
  2>/dev/null | \
  while read file; do
    echo "=== $file ==="
    ls -l "$file"
    file "$file"
    strings "$file" | grep -E "http|/bin/|chmod" | head -3
  done

# Process 20 log files in parallel, extract errors, combine results
find /var/log -name "*.log" -type f | \
  head -20 | \
  xargs -P 4 -I {} sh -c \
    'echo "=== {} ===" && grep -c "error\|exception" {}' | \
  awk '/^===/{file=$2} /^[0-9]+$/{print $1, file}' | \
  sort -rn | \
  head -10

# Find sensitive strings in config files with full context
find /etc -type f -name "*.conf" -o -name "*.ini" 2>/dev/null | \
  xargs -I {} sh -c \
    'grep -iH "password\|secret\|key" "{}" 2>/dev/null && \
     echo "File: {}" && \
     ls -l "{}" && \
     echo "---"'

# Create timeline of file modifications in last 24 hours
find / -type f -mtime 0 2>/dev/null | \
  while read file; do
    stat -c "%Y %n" "$file"
  done | \
  sort -n | \
  awk '{
    cmd="date -d @"$1" +\"%Y-%m-%d %H:%M:%S\""
    cmd | getline timestamp
    close(cmd)
    print timestamp, $2
  }'

# Analyze network connections, find associated processes and files
netstat -tupan | grep ESTABLISHED | \
  awk '{print $7}' | \
  cut -d/ -f1 | \
  sort -u | \
  while read pid; do
    echo "=== PID: $pid ==="
    ps -p $pid -o comm=,args=
    lsof -p $pid | grep -E "\.so|\.py|\.sh"
    echo "---"
  done

# Find Python files, count lines/functions, calculate complexity
find . -name "*.py" -print0 | \
  xargs -0 -I {} sh -c '
    lines=$(wc -l < "{}")
    funcs=$(grep -c "^def " "{}")
    if [ $funcs -gt 0 ]; then
      ratio=$((lines / funcs))
      echo "$ratio $lines $funcs {}"
    fi
  ' | \
  sort -rn | \
  awk '{printf "%s\t%d lines\t%d funcs\t%d avg\n", $4, $2, $3, $1}' | \
  head -20

# Compare current state against baseline
find / -perm /6000 -type f 2>/dev/null | sort > /tmp/current_suid.txt

# Show new SUID binaries
comm -13 /tmp/baseline_suid.txt /tmp/current_suid.txt | \
  while read file; do
    echo "NEW: $file"
    ls -l "$file"
    md5sum "$file"
    file "$file"
    echo "---"
  done

# Show removed SUID binaries
comm -23 /tmp/baseline_suid.txt /tmp/current_suid.txt | \
  while read file; do
    echo "REMOVED: $file"
  done

# Comprehensive search function
palpatine_search() {
    local pattern="$1"
    local depth="${2:-3}"

    echo "=== Searching for: $pattern ==="
    echo

    # Search filenames
    echo "## Filenames:"
    find / -maxdepth $depth -iname "*$pattern*" 2>/dev/null | head -10
    echo

    # Search file contents
    echo "## File contents:"
    find / -maxdepth $depth -type f 2>/dev/null | \
      xargs grep -l "$pattern" 2>/dev/null | head -10
    echo

    # Search running processes
    echo "## Processes:"
    ps aux | grep -i "$pattern" | grep -v grep
    echo

    # Search network connections
    echo "## Network:"
    netstat -tupan 2>/dev/null | grep -i "$pattern"
    echo

    # Search environment variables
    echo "## Environment:"
    env | grep -i "$pattern"
    echo

    # Search command history (if accessible)
    echo "## History:"
    history | grep -i "$pattern" | tail -5 2>/dev/null

    echo "=== Search complete ==="
}

# Usage
palpatine_search "password" 2

palpatine_search "192.168" 3

Need to search?
│
├─ By filename?
│  │
│  ├─ Fast, anywhere → locate
│  ├─ With attributes → find
│  └─ Modern + fast → fd
│
└─ By content?
   │
   ├─ Modern tools available?
   │  └─ Yes → ripgrep (rg)
   │
   └─ No → grep
      │
      ├─ Simple pattern → grep -r
      ├─ Complex regex → grep -E
      └─ Fixed string → grep -F

# Search content recursively
grep -r "pattern" .

rg "pattern"

# Find files by name
find . -name "*.txt"

fd "*.txt"

# Find large files
find . -type f -size +100M

fd -t f -S +100M

# Search with context
grep -C 3 "error" file.log

rg -C 3 "error" file.log

# Find and execute
find . -name "*.tmp" -delete

fd -e tmp -x rm

# Parallel processing
find . -name "*.log" -print0 | xargs -0 -P 4 gzip

fd -e log -x gzip

rg "pattern"

fd "*.py"

fzf

grep -r "pattern" .

find . -name "*.py"

grep "pattern" file

find / -name "filename"

# 1. Find errors in logs (last hour)
grep "error" /var/log/app.log | tail -100

# 2. Find large files
find /var -type f -size +100M -exec ls -lh {} \;

# 3. Search all config files
find /etc -name "*.conf" -exec grep -H "pattern" {} \;

# 4. Find recently modified files
find /etc -type f -mtime -1 -ls

# 5. Extract IPs from logs
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" access.log | sort -u

# 6. Find SUID binaries
find / -perm /6000 -type f 2>/dev/null

# 7. Parallel grep
find . -name "*.log" -print0 | xargs -0 -P 4 grep "error"

# 8. Find and count
find . -name "*.py" | xargs grep -c "TODO" | sort -t: -k2 -rn | head -10

# 9. Timeline of changes
find / -mtime 0 2>/dev/null | while read f; do stat -c "%y %n" "$f"; done | sort

# 10. The ultimate search
grep -r "pattern" / 2>/dev/null | head -50