grep basics

This article introduces some tools, especially grep, a Linux® command-line
tool that you can use to search directories or files that match specified
regular expressions.

What is grep?

Official answer:

grep searches the named input files (or standard input if you don't
specify a file or use a single hyphen (-) as the filename)
for lines containing a match to the given pattern. By default, grep
prints the matching lines.

Nicer answer:

Search a file, directory, or output for something specific, similar to
Ctrl + f in Windows®. Use this function to target exactly
what you need.


Often, the easiest way to show how a command works, is with examples.

You can see all users in the /etc/passwd file with the following command:

# cat /etc/passwd
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin

Using grep, you can narrow down that list to find a single user.

Find a specific user:

List the users but filter the output showing only the line with sher in it.

# cat /etc/passwd | grep 'sher'

Or, find the same user with a single command:

# grep 'sher' /etc/passw

In the following example, find all users with bash access:

# grep 'bash' /etc/passwd


Like most Linux commands, grep uses flags, usually one or more
letters preceded by one or more dashes, to add extra functionality.

-v: Show everything that does not include the specified
search pattern:

# grep -v 'nologin' /etc/passwd

-i: Show matches, ignoring the case, which is useful when
you don't know exactly what you need:

# grep -i 'SHER' /etc/passwd

Search for multiple patterns

grep uses the pipe symbol (|) to mean or allowing you to search
for more than one thing at a time. Use one of the following methods
to search for several things at once:

\: Escapes the next character, a pipe (|) allowing it to work as or:

# grep 'sher\|rack' /etc/passwd

-E: Interprets special characters, such as | as or:

# grep -E 'sher|rack' /etc/passwd

The egrep command does the same thing:

# egrep 'sher|rack' /etc/passwd

Combining flags

You can use various flags in combination to refine a search.

The following example shows all users who aren't sher or rack,
regardless of the case of the pattern of file content:

# egrep -vi 'SHER|RACK' /etc/passwd

Practical examples

The following sections cover other uses for grep and introduce other useful commands.

Ignore comments

In Linux, you comment out lines by adding the pound symbol (#) at the
beginning of the line. This way, you can add your own notes, and scripts or programs
ignore the comments and do not execute those lines.

To display files ignoring those comments, use tbe following command:

# grep -v ^'#' /file

You can even run a grep on top of another grep command.

For example, list a file ignoring commented lines, and then look for something specific:

# grep -v ^'#' /file | grep 'hello'

Search history

Most Linux systems keep a log of executed commands, which you can access with
the command history. When you combine history with grep, you can very
effectively investigate what has been run on your system so far.

Check the passwd commands run and other commands containing the
passwd pattern:

# history | grep 'passwd'

Find commands run on a specific day:

# history | grep '2021-05-10'

Check which commands ran at a specific time:

# history | grep '2021-05-10 11:00:'

Check ports and root login

List the web traffic running on ports 80 and 443:

# netstat -plnt | egrep '80|443'

You can use ^ in a grep command to show only those lines
starting with your search pattern.

For example, run the following command to check whether the system allows
root logins:

# grep ^'Permit' /etc/ssh/sshd_config

Search logs with head and tail

Use top to show the first ten lines of the login attempts log:

# head /var/log/secure

Use tail to show the lines at the end of the login attempts log:

# tail /var/log/secure

Use the last command to show the first ten lines of the most recent logins:

# last | head -10

Use the tail -f to watch a file grow in real time. For example, you can see
the most recent login attempts and watch ongoing attempts. If someone tries to
log in, you can see it as it happens with the following command:

# tail -f /var/log/secure
Ctrl + C to exit

Other tools

You can experiment with your newfound skills by using the tools in this section.

vim or nano

vi, vim, and nano are the most common text editors in Linux.
You can use them to edit a file, similar to using Notepad in Windows.

Open up and create a new file, test:

# vim /test
ActionsKey sequenceExplanation
To start typing new content:iPrepare to insert text
To exit without saving:Esc :q!Escape insert mode and quit
To exit and save:Esc :wq!Escape insert mode, write, and quit


echo is a simple command that tells Linux to repeat what you just typed.
This is effective for testing grep commands without first creating a new file.

For example, make hello display:

# echo 'hello'

Display hello and search for the middle letters:

# echo 'hello' | grep 'ell'

You can even use echo to display multiple lines by using -e and \n to
add new lines.

Display hi and ho on separate lines:

# echo -e 'hi\nho'

Display hi and ho on separate lines and search for hi:

# echo -e 'hi\nho' | grep 'hi'


Like grep, sed has many uses, but you primarily use this command to
search for and replace specified content. Here are some basic examples of how
to single out specific lines:

First, Use vim to create a file:

# vim /test

When the editor opens, enter the following lines:

1 Hi
2 How
3 Are
4 You

Display the new file:

# cat test
1 Hi
2 How
3 Are
4 You

Use sed to return everything except the first line:

# sed 1d test
2 How
3 Are
4 You

Return only the first line:

# sed 1q test


# sed '1!d' test
1 Hi

Return only the second to fourth lines:

# sed '2,4!d' test
2 How
3 Are
4 You


There are many other tools that you can use, such as awk, cut, sort, xargs,
and so on. Now that you know how to create a file by using echo, you can
experiment more effectively with them.