Find Command Cheat Sheet
Search files, filter by size or date, and use find safely for real Linux operations.
Before you start
Basic File Search by Name
The most common starting point is searching by filename or pattern. This is useful when you know the file name exactly or partially.
find /var/www -name "config.php"
find /home -name "*.log"
find /etc -iname "*mysql*"
-name is case-sensitive, while -iname is case-insensitive. When you are unsure about case, iname is often safer.
Search by File Type
Use type filtering to separate files from directories. This is important because mixed results often make searches harder to interpret.
find /var -type f
find /var -type d
find /home/example -type f -name "*.txt"When troubleshooting, you usually care about either files or directories, not both at the same time. Type filtering reduces clutter immediately.
Find Large Files by Size
This is one of the most practical uses of find on production systems. It helps identify unusually large files during disk usage investigations.
find /var -type f -size +100M 2>/dev/null
find /home -type f -size +500M 2>/dev/null
find /tmp -type f -size +1G 2>/dev/nullWhen disk usage suddenly increases, size filters help you move directly toward the largest files instead of manually exploring every directory.
Find Recently Modified Files
Time filters are useful when investigating recent incidents, deployments, changed configuration files, or unexpected application behavior.
find /etc -type f -mtime -1
find /var/log -type f -mtime -7
find /home/example -type f -mtime +30
-mtime -1 means modified within the last day. -mtime +30 means modified more than 30 days ago. This is useful for both incident investigation and cleanup planning.
Find by Owner or Permission
Ownership and permission filters help during security checks, migration cleanup, and troubleshooting permission-related errors.
find /var/www -user www-data
find /home -type f -perm 777
find /etc -type f -perm 644This is especially useful when uploaded files, generated cache, or migrated data have inconsistent ownership and cause application errors.
Use Exec Carefully
find becomes extremely powerful when combined with -exec, but this is also where mistakes become dangerous. Always test the search first without running any action.
find /var/log -type f -name "*.log" -exec ls -alh {} \;
find /tmp -type f -mtime +7 -exec rm -f {} \;
The second example can delete files. In real operations, you should first run the same search without -exec rm and verify the exact matched file list before taking any destructive action.
Real example
A server starts running out of disk space. Instead of scanning everything manually, an administrator runs find /var -type f -size +500M and discovers that several application log files have grown far beyond their expected size. This leads to checking log rotation and fixing the retention policy rather than randomly deleting files.
This is the right operational pattern: narrow the path, apply a useful filter, confirm the result, then decide what to do.
Possible causes
- You know the file name but not its actual location
- You need to identify large files causing disk pressure
- You need to find recently changed files after an incident or deployment
- You are auditing permissions or ownership on operational paths
- You want to apply the same action to many matched files safely
Common mistakes
- Searching from
/when a narrower path would be enough - Using destructive
-execactions before confirming matched files - Ignoring permission denied errors and assuming the search was complete
- Forgetting type filters and getting noisy mixed results
- Using time or size filters without understanding what they actually match
Environment tips
- Use a narrow starting path whenever possible for speed and clarity.
- Redirect permission errors with
2>/dev/nullwhen scanning broad operational paths. - Test the search first before combining it with
-execmodifications or deletion. - Combine find with other tools such as sort, du, grep, or xargs when deeper analysis is needed.
About this guide
This is a complete find command reference for real Linux server work. It focuses on practical search patterns for files, directories, size filters, modified dates, permissions, ownership, and command execution. Instead of isolated syntax, it shows how find is actually used during troubleshooting, cleanup, and maintenance.
How to follow this guide
- Start with a clear search path instead of scanning the whole system blindly.
- Use name or type filters first to reduce noise before adding more conditions.
- Use size and time filters when investigating storage growth or recent file changes.
- Use exec carefully and always confirm results before running destructive actions.
- Redirect permission errors when scanning broad paths on production servers.
Why use this method?
The find command is one of the most useful Linux commands for operations, troubleshooting, security checks, storage analysis, and automation. A strong reference helps you locate the right files quickly instead of manually browsing paths or guessing where something might be stored.
Frequently Asked Questions
What is the difference between find and grep?
find searches for files and directories based on path, name, size, time, type, ownership, and other file attributes. grep searches inside file content. In practice, find locates the files first and grep often helps inspect their contents afterward.
Why is find slow sometimes?
find can be slow when scanning very large directory trees, network mounts, or paths with many small files. It becomes faster when you narrow the search path and use meaningful filters early.
Is find -exec dangerous?
It can be, especially when used with rm, chmod, or chown. The command is powerful, but you should always test the search first before executing changes on matched files.
What do -mtime and -size mean?
They filter files by modification time and file size. These are especially useful when tracking recent changes or searching for large files that consume disk space.