View all products
Compute
Storage
Networking
Databases
Services
Solutions
Pricing
Library
Technical Resources
Community
Marketplace
What's New

How to use grep

Updated 2 Contributors

Author: Akamai

Other contributors: Adam Overa

View edit history on GitHub → Originally authored by Akamai
Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

grep is a command-line utility for searching and filtering text in files, command output, and log streams using pattern matching and regular expressions.

This guide provides an overview of grep, a brief introduction to regular expression syntax, and practical examples.

Basic grep command syntax

A basic grep command uses the following syntax:

grep "string" ~/example.txt

The first argument to grep is a search pattern. The second (optional) argument is the name of a file to search. The example above searches ~/example.txt for lines containing the word “string”.

You can use grep to search a single file or multiple files. To search files in a directory, include the -r flag. It enables recursive searching through a directory tree, including subdirectories:

grep -r "string" ~/example/

When used on a specific file, grep only outputs the lines that contain the matching string. In recursive mode, grep outputs the full path to the file, followed by a colon, and the contents of the line that matches the pattern.

grep also provides a number of options to control its output:

FlagUsage
-oOutput only the matching segment of each line, rather than the full contents of each matched line.
-iIgnore case distinctions, so that characters only differing in case still match.
-nPrint the line number of each matched line.
-C 2Show 2 (or any number of) adjacent lines in addition to the matched line.
-vInvert the matching logic, to print non-matching lines.
-eSpecify a pattern. If this option is used multiple times, search for all patterns given. This option can be used to protect a pattern beginning with -.

Regular expressions

By default, grep uses basic regular expressions (BRE). You can also use extended regular expressions (ERE) or Perl-compatible regular expressions (PCRE) with the following flags:

FlagUsage
-EUse extended regular expression syntax. Replaces the deprecated egrep command.
-PUse Perl-compatible regular expression (PCRE) syntax. Support for this option depends on the grep implementation available on your system.

The following examples use extended regular expression syntax (grep -E). While most characters in a regular expression match literal text, the following characters have special meaning:

SymbolResult
.Matches any character.
*Matches zero or more instances of the preceding character.
+Matches one or more instances of the preceding character.
[]Matches any of the characters within the brackets.
()Creates a sub-expression for grouping patterns.
``
^Matches the beginning of a line.
$Matches the end of the line.
\\Escapes the following character. Since . matches any character, to match a literal period you would need to use \..

Filtering logs

A common use of grep is searching system-generated text files such as logs:

grep -Eoc "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.* 200"  /srv/www/example.com/logs/access.log

Here, grep filters an Apache access log for lines beginning with an IP address, followed by a number of characters, a space, and 200 (representing a successful HTTP connection). The -c option only outputs the number of matches. To get the output of the IP address of the visitor and the path of the requested file for successful requests, omit the -c flag:

grep -Eo "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.* 200"  /srv/www/example.com/logs/access.log

The curly brackets specify the number of instances of the pattern. {1,3} requires that the previous character occur at least once, but no more than three times. The character class [0-9] matches a single numeric digit. Combined with {1,3}, it matches between one and three digits. You can also generate similar output that reports on unsuccessful attempts to access content by searching for 404 instead of 200:

grep -Eo "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.* 404"  /srv/www/example.com/logs/access.log

The following command generates a list of unique IP addresses found in the access log. Using the -o option, only the matching strings are sent to standard output. The results are sorted and deduplicated using sort -u:

grep -Eo "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /srv/www/example.com/logs/access.log | sort -u

The next example searches authentication logs for invalid user login attempts. On Debian-based systems, these events are typically recorded in /var/log/auth.log. On RHEL-based systems, similar authentication events are usually logged to /var/log/secure:

grep -Eo "Invalid user.*([0-9]{1,3}\.){3}[0-9]{1,3}" /var/log/auth.log

To output a unique list of IP addresses associated with failed login attempts, match only the IP address portion and sort the results:

grep -Eo "Invalid user.*([0-9]{1,3}\.){3}[0-9]{1,3}" /var/log/auth.log | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u

grep can filter live command output to monitor specific events in real time:

journalctl -f | grep ssh

In this example, journalctl -f follows the system journal in real time, while grep filters the stream to show only lines related to SSH activity.

Filtering command output

In addition to reading content from files, grep can read and filter text from standard input. You can pipe command output or other text streams to grep, which filters the incoming text according to the specified match pattern and prints only matching lines. For example:

ls --help | grep "dired"

This filters the output of the ls command’s help text and prints lines containing “dired”:

  -D, --dired                generate output designed for Emacs' dired mode

grep can be used to filter long help files. This command filters the tar help text to display options related to bzip files:

tar --help | grep "bzip"

Excluding patterns

You can also use grep to return non-matching lines by using the -v flag to perform an invert search. For example, the following command only returns lines that do not contain the pattern “string”:

grep -v "string" ~/threads.txt

You can also exclude multiple search patterns using invert search with grep -v by using the -e flag before each pattern as follows:

grep -v -e "string" -e "yarn" ~/threads.txt

When you run the above command, it outputs all lines that do not contain “string” or “yarn”.

Excluding grep when using ps

For process searches, pgrep is usually a cleaner option than filtering ps output manually:

pgrep -af log
576 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
583 /usr/sbin/rsyslogd -n -iNONE
592 /lib/systemd/systemd-logind

Older ps | grep patterns are still common and useful to understand. For example, the following command searches for running processes that contain the pattern “log”:

ps ax | grep log
576 ?        Ss     0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
583 ?        Ssl    0:00 /usr/sbin/rsyslogd -n -iNONE
592 ?        Ss     0:00 /lib/systemd/systemd-logind
4967 pts/0    S+     0:00 grep --color=auto log

Notice the last line of the output contains grep log, which is not relevant to the purpose of the search. You can exclude this line by using a pipe operator (|) and adding grep -v grep after it as follows:

ps ax | grep log | grep -v grep
576 ?        Ss     0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
583 ?        Ssl    0:00 /usr/sbin/rsyslogd -n -iNONE
592 ?        Ss     0:00 /lib/systemd/systemd-logind

While grep -v grep excludes the grep log line, it also excludes any other lines containing the word “grep”, which may not be ideal.

Another approach uses a character class match to avoid matching the grep process itself:

ps ax | grep '[l]og'
576 ?        Ss     0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
583 ?        Ssl    0:00 /usr/sbin/rsyslogd -n -iNONE
592 ?        Ss     0:00 /lib/systemd/systemd-logind

Search compressed files with zgrep

On systems with gzip installed, the zgrep command provides grep-like searching for files compressed with gzip. For example, to search an older compressed log:

zgrep -Eo "Invalid user.*([0-9]{1,3}\.){3}[0-9]{1,3}" /var/log/auth.log.2.gz

zgrep operations take longer than standard grep operations because of the additional overhead of reading the compressed files.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on

linux

Your Feedback Is Important

Let us know if this guide was helpful to you.

Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.