Find files containing specific text using grep command
grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p (globally search a regular expression and print), which has the same effect: doing a global search with the regular expression and printing all matching lines. Grep was originally developed for the Unix operating system, but later available for all Unix-like systems.
grep command syntax
grep "text string to search” directory-path
grep [option] "text string to search” directory-path
grep -r "text string to search” directory-path
grep -r -H "text string to search” directory-path
egrep -R "word-1|word-2” directory-path
egrep -w -R "word-1|word-2” directory-path
Find files containing specific text using grep command examples
In this example, we will search for ‘PULSEAUDIO_SYSTEM_START’ in all configuration files located in /etc directory.
Now there’s a small problem, depending on your Linux distro, Find command Syntax can be slightly different.
*If you know the exact location and directory you’re after, then use
root@hackthesec:~# grep "PULSEAUDIO_SYSTEM_START" /etc/default/pulseaudio PULSEAUDIO_SYSTEM_START=1
*If you know the exact directory with the files containing that specific text, then use
root@hackthesec:~# grep "PULSEAUDIO_SYSTEM_START" /etc/default/* grep: /etc/default/kdm.d: Is a directory /etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1 root@hackthesec:~#
If you don’t know the exact location of the file that contains the specific text you’re looking for, then you need to search all sub-directories recursively.
root@hackthesec:~# grep -r "PULSEAUDIO_SYSTEM_START" /etc/default/* /etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1 root@hackthesec:~#
root@hackthesec:~# grep -R "PULSEAUDIO_SYSTEM_START" /etc/default/* /etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1 root@hackthesec:~#
Now what if you are searching through a massive file and there might be many outputs similar to what you’re looking for.. you might want to use –col flag to color code your output which searching files containing specific strings.
root@hackthesec:~# grep --col 'usb 1-1.4' /var/log/messages Apr 4 09:14:25 kali kernel: [1191164.780496] usb 1-1.4: new low-speed USB device number 21 using ehci-pci root@hackthesec:~#
Now I want to display all files with colorer output with containing specific text and instead of showing the whole content of the files
root@hackthesec:~# grep --col -r 'Linux version 3.14-kali1' /var/log/* | cut -d: -f1 /var/log/dmesg /var/log/dmesg.0 /var/log/installer/syslog root@hackthesec:~#
When you’re using grep, depending on the commands used and permission you have on the system, you might see any of the following errors.
* Input/output error* recursive directory loop* No such file or directory* No such device or address* Permission denied
If you want to hide all errors or warning message spamming your output window(specifically useful when you’re trying to use grep on a script) generated by the grep command, append 2>/dev/null to grep command. This will send and hide unwanted output to /dev/null device:
root@hackthesec:~# grep -R "PULSEAUDIO_SYSTEM_START" /etc/* 2>/dev/null /etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1 /etc/init.d/pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/init.d/pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc0.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc0.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc1.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc1.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc2.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc2.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc3.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc3.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc4.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc4.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc5.d/S20pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc5.d/S20pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then /etc/rc6.d/K01pulseaudio:PULSEAUDIO_SYSTEM_START=0 /etc/rc6.d/K01pulseaudio:if [ "$PULSEAUDIO_SYSTEM_START" != "1" ]; then root@hackthesec:~#
What if you’re not sure about the case of the text you’re after? You can use -i to ignore case.
Below example shows the difference between -i flag. First command didn’t find the text, second command did as we used -i flag to ignore case.
root@hackthesec:~# grep -r "pulseaudio_system_start" /etc/default/* root@hackthesec:~# root@hackthesec:~# grep -i -r "pulseaudio_system_start" /etc/default/* /etc/default/pulseaudio:PULSEAUDIO_SYSTEM_START=1 root@hackthesec:~#
I always prefer using grep command with -r and –col flag in Debian Linux as -r complains less about permissions, files, directory etc. and of course some color helps on the eyes when you’re browsing through many lines.
