Find Command Cheat Sheet
Search files, filter by size or date, and use find safely for real Linux operations.
Before you start
Basic File Search by Name
The most common starting point is searching by filename or pattern. This is useful when you know the file name exactly or partially.
find /var/www -name "config.php"
find /home -name "*.log"
find /etc -iname "*mysql*"
-name is case-sensitive, while -iname is case-insensitive. When you are unsure about case, iname is often safer.
Search by File Type
Use type filtering to separate files from directories. This is important because mixed results often make searches harder to interpret.
find /var -type f
find /var -type d
find /home/example -type f -name "*.txt"When troubleshooting, you usually care about either files or directories, not both at the same time. Type filtering reduces clutter immediately.
Find Large Files by Size
This is one of the most practical uses of find on production systems. It helps identify unusually large files during disk usage investigations.
find /var -type f -size +100M 2>/dev/null
find /home -type f -size +500M 2>/dev/null
find /tmp -type f -size +1G 2>/dev/nullWhen disk usage suddenly increases, size filters help you move directly toward the largest files instead of manually exploring every directory.
Find Recently Modified Files
Time filters are useful when investigating recent incidents, deployments, changed configuration files, or unexpected application behavior.
find /etc -type f -mtime -1
find /var/log -type f -mtime -7
find /home/example -type f -mtime +30
-mtime -1 means modified within the last day. -mtime +30 means modified more than 30 days ago. This is useful for both incident investigation and cleanup planning.
Find by Owner or Permission
Ownership and permission filters help during security checks, migration cleanup, and troubleshooting permission-related errors.
find /var/www -user www-data
find /home -type f -perm 777
find /etc -type f -perm 644This is especially useful when uploaded files, generated cache, or migrated data have inconsistent ownership and cause application errors.
Use Exec Carefully
find becomes extremely powerful when combined with -exec, but this is also where mistakes become dangerous. Always test the search first without running any action.
find /var/log -type f -name "*.log" -exec ls -alh {} \;
find /tmp -type f -mtime +7 -exec rm -f {} \;
The second example can delete files. In real operations, you should first run the same search without -exec rm and verify the exact matched file list before taking any destructive action.
Real example
A server starts running out of disk space. Instead of scanning everything manually, an administrator runs find /var -type f -size +500M and discovers that several application log files have grown far beyond their expected size. This leads to checking log rotation and fixing the retention policy rather than randomly deleting files.
This is the right operational pattern: narrow the path, apply a useful filter, confirm the result, then decide what to do.
Possible causes
- You know the file name but not its actual location
- You need to identify large files causing disk pressure
- You need to find recently changed files after an incident or deployment
- You are auditing permissions or ownership on operational paths
- You want to apply the same action to many matched files safely
Common mistakes
- Searching from
/when a narrower path would be enough - Using destructive
-execactions before confirming matched files - Ignoring permission denied errors and assuming the search was complete
- Forgetting type filters and getting noisy mixed results
- Using time or size filters without understanding what they actually match
Environment tips
- Use a narrow starting path whenever possible for speed and clarity.
- Redirect permission errors with
2>/dev/nullwhen scanning broad operational paths. - Test the search first before combining it with
-execmodifications or deletion. - Combine find with other tools such as sort, du, grep, or xargs when deeper analysis is needed.