Using the -newer option of the find command


Introduction

You casually look at the clock just as it strikes 2 p.m., and it looks like you'll survive this Monday.  You relax, working at the server console, sipping an afternoon java.  But then suddenly -- without warning -- you notice that the system seems to be slowing down.  Out of the corner of your right eye, you notice the lights flickering furiously on the 20 GB disk array.  Time goes by and the lights don't slow down.  A quick check of the ps command fails to show anything significant.  "Something is wrong" you mumble, as your pulse quickens.

This describes the beginning of an anxious moment in the life of an administrator.  You're watching while it looks like a rogue process and a runaway file consume the free space on a Solaris filesystem.  The question is, can you find the file and the process, or will a costly emergency shutdown be required?
 

Defining the problem

Because we can't seem to identify any processes gone bad, we decide that the best approach is to use the find command to locate the runaway file.  Although we don't know anything about the name of the file, or the user that has turned loose the rogue process, we do know that the symptoms started just a few moments ago at 2 p.m.  Searching for files by looking at their creation/modification time seems to be the answer.

Most administrators have used the find command with the -mtime, -ctime, or -atime options to find files by date range.  But on a large filesystem, with half of a day gone by and the system failing, using the "find / -mtime -1 -print" command might find a lot of extra files that we don't have time to see.  All of this leads us to the question:  Is it possible to search for files that have been created or modified in just the last 20 minutes?
 

The solution

To search for files modified within the last twenty minutes, we need to follow a two-step process.  First, we create a file with a file modification time stamp of 20 minutes ago.  It's now 2:10 p.m, so we want to create a file with a time stamp of 1:50 p.m.  This is done with the touch command.

Using the touch command, we create an empty file in the /tmp directory with a modification time stamp of 1:50 p.m.:

 $  touch -mt 08301350 /tmp/empty_file
Looking at the file with the ls -l command, we see that it has the proper time stamp:
 $ ls -l /tmp/empty_file
 -rw-r--r--   1 root     other          0 Aug 30 13:50 /tmp/empty_file
If you haven't used the touch command before, you'll see that it's a unique command that can be used to update the time stamp on files.  Using touch, you can make a file look very old or very new, just by changing it's access or modification time.  This has a variety of purposes, from updating the time stamp of old files to include them in tape backups, to touching a file so a make utility will notice the new date and recompile a file.  As an added purpose, touch can also be used to create empty files, which is useful in shell scripts and training exercises.

The second step in our search for the runaway file is to use the find command with the -newer option.  We tell the find command to locate any files in the local filesystem that are newer than our /tmp/empty_file, which appears to have been modified at 1:50 p.m.:

 $  find / -newer /tmp/empty_file -local -print
Notice that we also add the -local option to our command, telling find not to waste any time looking on NFS filesystems.  It's obvious that our local hard disk is churning, so don't waste time looking on NFS-mounted filesystems.  I also recommend adding the "-type f" option to tell find to locate only normal files, and ignore directories, links, and other filesystem objects.

Once the find command locates the new file, you can identify the user and process that created the runaway file.  If it really is some type of runaway process, we can terminate the process and remove the file, without performing a costly emergency shutdown.
 

Conclusion

This combination of the touch and find commands has helped us troubleshoot many problems when we needed to find files by a very specific time period.  These commands can easily be incorporated into a shell program that offers a powerful level of control when searching for files using time stamp information.  When the one-day level of granularity of the -mtime, -atime, and -ctime options of the find command isn't good enough, we recommend using the -newer option of the find command.
 

(Note: This article first appeared in ZD Journals Inside Solaris monthly journal. The author now works for Developer's Daily, and the article is reprinted here with their permission.)