# Filter content in Linux

In this reading, you’ll continue exploring Linux commands, which can help you filter for the information you need. You’ll learn a new Linux command, <var>find</var>, which can help you search files and directories for specific information.

## Filtering for information

You previously explored how filtering for information is an important skill for security analysts. **Filtering** is selecting data that match a certain condition. For example, if you had a virus in your system that only affected the <var>.txt</var> files, you could use filtering to find these files quickly. Filtering allows you to search based on specific criteria, such as file extension or a string of text.

## grep

The <var>grep</var> command searches a specified file and returns all lines in the file containing a specified string. The <var>grep</var> command commonly takes two arguments: a specific string to search for and a specific file to search through.

For example, entering <var>grep OS updates.txt</var> returns all lines containing <var>OS</var> in the <var>updates.txt</var> file. In this example, <var>OS</var> is the specific string to search for, and <var>updates.txt</var> is the specific file to search through.

## Piping

The pipe command is accessed using the pipe character (<var>|</var>). **Piping** sends the standard output of one command as standard input to another command for further processing. As a reminder, **standard output** is information returned by the OS through the shell, and **standard input** is information received by the OS via the command line.

The pipe character (<var>|</var>) is located in various places on a keyboard. On many keyboards, it’s located on the same key as the backslash character (<var>\\</var>). On some keyboards, the <var>|</var> can look different and have a small space through the middle of the line. If you can’t find the <var>|</var>, search online for its location on your particular keyboard.

When used with <var>grep</var>, the pipe can help you find directories and files containing a specific word in their names. For example, <var>ls /home/analyst/reports | grep users</var> returns the file and directory names in the <var>reports</var> directory that contain <var>users</var>. Before the pipe, <var>ls</var> indicates to list the names of the files and directories in <var>reports</var>. Then, it sends this output to the command after the pipe. In this case, <var>grep users</var> returns all of the file or directory names containing <var>users</var> from the input it received.

**Note:** Piping is a general form of redirection in Linux and can be used for multiple tasks other than filtering. You can think of piping as a general tool that you can use whenever you want the output of one command to become the input of another command.

## find

The <var>find</var> command searches for directories and files that meet specified criteria. There’s a wide range of criteria that can be specified with <var>find</var>. For example, you can search for files and directories that

<div class="rc-CML" dir="auto" id="bkmrk-contain-a-specific-s"><div><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml" data-track-page="item_layout" role="presentation"><div data-track="true" data-track-action="click" data-track-app="open_course_home" data-track-component="cml_link" data-track-page="item_layout"><div class="css-1k5v0wb" data-testid="cml-viewer">- Contain a specific string in the name,
- Are a certain file size, or
- Were last modified within a certain time frame.

</div></div></div></div></div>When using <var>find</var>, the first argument after <var>find</var> indicates where to start searching. For example, entering <var>find /home/analyst/projects</var> searches for everything starting at the <var>projects</var> directory.

After this first argument, you need to indicate your criteria for the search. If you don’t include a specific search criteria with your second argument, your search will likely return a lot of directories and files.

Specifying criteria involves options. **Options** modify the behavior of a command and commonly begin with a hyphen (<var>-</var>).

### **-name and -iname**

One key criteria analysts might use with <var>find</var> is to find file or directory names that contain a specific string. The specific string you’re searching for must be entered in quotes after the <var>-name</var> or <var>-iname</var> options. The difference between these two options is that <var>-name</var> is case-sensitive, and <var>-iname</var> is not.

For example, you might want to find all files in the <var>projects</var> directory that contain the word “log” in the file name. To do this, you’d enter <var>find /home/analyst/projects -name "\*log\*"</var>. You could also enter <var>find /home/analyst/projects -iname "\*log\*"</var>.

In these examples, the output would be all files in the <var>projects</var> directory that contain <var>log</var> surrounded by zero or more characters. The <var>"\*log\*"</var> portion of the command is the search criteria that indicates to search for the string “log”. When <var>-name</var> is the option, files with names that include <var>Log</var> or <var>LOG</var>, for example, wouldn’t be returned because this option is case-sensitive. However, they would be returned when <var>-iname</var> is the option.

**Note**: An asterisk (<var>\*</var>) is used as a wildcard to represent zero or more unknown characters.

### **-mtime**

Security analysts might also use <var>find</var> to find files or directories last modified within a certain time frame. The <var>-mtime</var> option can be used for this search. For example, entering <var>find /home/analyst/projects -mtime -3</var> returns all files and directories in the <var>projects</var> directory that have been modified within the past three days.

The <var>-mtime</var> option search is based on days, so entering <var>-mtime +1</var> indicates all files or directories last modified more than one day ago, and entering <var>-mtime -1</var> indicates all files or directories last modified less than one day ago.

**Note:** The option <var>-mmin</var> can be used instead of <var>-mtime</var> if you want to base the search on minutes rather than days.

## Key takeaways

Filtering for information using Linux commands is an important skill for security analysts so that they can customize data to fit their needs. Three key Linux commands for this are <var>grep</var>, piping (<var>|</var>), and <var>find</var>. These commands can be used to navigate and filter for information in the file system.