Sunday, 17 March 2013

Searching with GNU Grep

GNU grep is installed by default on pretty much any Linux system you are likely to come across. It's a useful utility for searching files for strings, words, regular expressions etc. By deafult, it will display the lines in a file that match the input. Here's a few examples of how it can be used:

 #grep 'word' /home/mugwiter/mybigfile  

This would return the lines with 'word' in  /home/mugwriter/mybigfile. While this is useful enough, there are other ways that we can use grep that might be more useful. For example, the above command will only search a single file to the regular expression we're trying to match. We can search multiple files using the -r switch:

 #grep -r 'word' * /home/mugwiter/  

The -r switch will search recursively, so in this instance it can be used to search all of the files in a folder. This is more useful for the occasions when we need to find the regular expression in a file but aren't sure which file it's in. Another use case for this is when there are multiple files where we need to locate the matching pattern and perhaps pipe the results to sed to make amendments. But when we're using the previous example, grep is only going to match the 'word' string literally, so any occurrence of 'Word' or 'wOrd' etc are going to be left out of the results. In other words, if we need case insensitive results from grep, we need to find another way of searching. This is where the -i switch comes in:

 #grep -ir 'word' * /home/mugwiter/  

Now we're starting to get something a bit more useful. Grep will return the 'word' input when it's at the start of a sentence with a capital W, it will return 'WORD' and any combination of upper and lower-case.

We can also pipe the standard output from other commands, one of the ways I use it most frequently is to search for running processes. Let's see if anybody is using the iftop program:

 [bob@mugwriter ~]$ ps aux | grep iftop  
 root   23861 0.0 0.1 187208 3092 pts/8  S+  11:30  0:00 sudo iftop -i wlan0  
 root   23867 0.1 0.2 352096 5624 pts/8  Sl+ 11:30  0:04 iftop -i wlan0  
 bob  24577 0.0 0.0 103248  856 pts/11  S+  12:20  0:00 grep iftop  

We can use it for searching log files, let's see check for users that have used the sudo command

 #grep sudo /var/log/secure*  

On its own, that's not really all that useful. The above will search all of the /var/log/secure files including those that have been rotated out and datestamped on a weekly basis.  You should rightly expect to get a lot of output from that command on a system that gets much useage. How about if we narrow it down a bit, let's get the amount of times sudo was used but failed by piping the output from our last command back into grep:

 # grep sudo /var/log/secure* | grep failure  

This will output all of the times that users on a system tried to use the sudo command but failed, possibly sue to entering a password incorrectly, perhaps they aren't in the /etc/sudoers files so they aren't allowed to use sudo. Still, we could get a lot of output from this again, so let's just pipe the results to wc, and use is to count the amount of lines we get from our query:

 # grep sudo /var/log/secure* | grep failure | wc -l  

We can see that we get from grep 5 lines of output that match our query.

I'll put some more useful examples of useage up when I get chance, these are just a few ways grep can be put to use.

No comments:

Post a Comment