Grep Command in Linux (Find Text in Files)

Updated 

9 min read

The grep command which stands for “global regular expression print” is one of the most powerful and commonly used commands in Linux.

Grep searches one or more input files for lines that match a given pattern and writes each matching line to standard output. If no files are specified, grep reads from the standard input, which is usually the output of another command.

In this tutorial, we will show you how to use the grep command through practical examples, and detailed explanations of the most common GNU grep options.

Grep Command Syntax

Before going into how to use the grep command, let’s start by reviewing the basic syntax.

The grep utility expressions take the following form:

grep [OPTIONS] PATTERN [FILE...]

The items in square brackets are optional.

  • OPTIONS - Zero or more options. Grep provides a number of options that control its behavior.
  • PATTERN - Search pattern.
  • FILE - Zero or more input file names.

To be able to search the file, the user running the command must have read access to the file.

How to use grep to Search for a String in Files

The most basic usage of the grep command is to search for a string (text) in a file.

For example, to display the lines from the /etc/passwd file containing the string bash you can use the following command:

grep bash /etc/passwd

The output should look something like this:

root:x:0:0:root:/root:/bin/bash
linuxize:x:1000:1000:linuxize:/home/linuxize:/bin/bash

If the string includes spaces, you need to enclose it in single or double quotation marks:

grep "Gnome Display Manager" /etc/passwd

Invert Match (Exclude)

To display the lines that do not match a pattern, use the -v ( or --invert-match) option.

For example to display the lines from the /etc/passwd file that do not contain the string nologin you can use the following command:

grep -v nologin /etc/passwd
root:x:0:0:root:/root:/bin/bash
colord:x:124:124::/var/lib/colord:/bin/false
git:x:994:994:git daemon user:/:/usr/bin/git-shell
linuxize:x:1000:1000:linuxize:/home/linuxize:/bin/bash

How to use Grep to Search for a String in Command Output

Instead of specifying input files, you can pipe the output of another command to grep, and then display only lines matching a given pattern.

For example, to find out which processes are running on your system as user www-data you can use the following ps command:

ps -ef | grep www-data
www-data 18247 12675  4 16:00 ?        00:00:00 php-fpm: pool www
root     18272 17714  0 16:00 pts/0    00:00:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn www-data
www-data 31147 12770  0 Oct22 ?        00:05:51 nginx: worker process
www-data 31148 12770  0 Oct22 ?        00:00:00 nginx: cache manager process

You can also chain multiple pipes in on command. As you can see in the output above there is also a line containing the grep process. If you don’t want that line to be shown pass the output to another grep instance as shown below.

ps -ef | grep www-data | grep -v grep
www-data 18247 12675  4 16:00 ?        00:00:00 php-fpm: pool www
root     18272 17714  0 16:00 pts/0    00:00:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn www-data
www-data 31147 12770  0 Oct22 ?        00:05:51 nginx: worker process
www-data 31148 12770  0 Oct22 ?        00:00:00 nginx: cache manager process

To recursively search for a pattern use the, use the -r option (or --recursive). This will search through all files in the specified directory, skipping the symlinks that are encountered recursively. To follow all symbolic links, use the -R option (or --dereference-recursive).

In the following example we are searching for the string linuxize.com in all files inside the /etc directory:

grep -r linuxize.com /etc

The command will print the matching lines prefixed by the full path to the file.

/etc/hosts:127.0.0.1 node2.linuxize.com
/etc/nginx/sites-available/linuxize.com:    server_name linuxize.com   www.linuxize.com;

If instead -r you use -R option grep will follow all symbolic links:

grep -R linuxize.com /etc

Notice the last line of the output. That line is not printed in the example above because files inside the Nginx’s sites-enabled directory are symlinks to configuration files inside the sites-available directory.

/etc/hosts:127.0.0.1 node2.linuxize.com
/etc/nginx/sites-available/linuxize.com:    server_name linuxize.com   www.linuxize.com;
/etc/nginx/sites-enabled/linuxize.com:    server_name linuxize.com   www.linuxize.com;

Show Only the Filename

To suppress the default grep output and print only the names of files containing the matched pattern, you can use the -l ( or --files-with-matches) option.

For example to search through all files ending with .conf in the current working directory and print only the names of files containing the string linuxize.com type:

grep -l linuxize.com *.conf

The output will look something like this:

tmux.conf
haproxy.conf

The -l option is usually used in combination with the recursive option -R:

grep -Rl linuxize.com /tmp

By default, the grep command is case sensitive. This mean that the uppercase and lowercase characters are treated as distinct.

To ignore case when searching, use the -i option (or --ignore-case).

For example, when searching for Zebra without any option, the following command will not show any output i.e there are matching lines:

grep Zebra /usr/share/words

But if you perform a case insensitive search using the -i option, it will match both upper and lower case letters:

grep -i Zebra /usr/share/words

Specifying “Zebra” will match “zebra”, “ZEbrA” or any other combination of upper and lower case letters for that string.

zebra
zebra's
zebras

Search for Full Words

When searching for “gnu”, grep will also print the lines where “gnu” is embedded in larger words, such as “cygnus” or “magnum”.

grep gnu /usr/share/words
cygnus
gnu
interregnum
lgnu9d
lignum
magnum
magnuson
sphagnum
wingnut

To return only those lines where the specified string is a whole word (enclosed by non-word characters), use the -w ( or --word-regexp) option.

Word characters include alphanumeric characters (a-z, A-Z and 0-9) and underscores (_). All other characters are considered as non-word characters.

If you run the same command as above, including the -w option, the grep command will return only those lines where gnu is included as a separate word.

grep -w gnu /usr/share/words
gnu

Show Line Numbers

To show the number of the lines which contain a string that matches a pattern, use the -n ( or --line-number) option. When using this option, grep will print the matches to standard output prefixed with the line number it was found on.

For example to display the lines from the /etc/services file containing the string bash prefixed with the matching line number you can use the following command:

grep -n 10000 /etc/services

The output below shows us that the matches are found on lines 10423 and 10424.

10423:ndmp            10000/tcp
10424:ndmp            10000/udp

Count Matches

To print a count of matching lines to standard output, use the -c ( or --count) option.

In the example below, we are counting the number of accounts that have /usr/bin/zsh as a shell.

grep -c '/usr/bin/zsh' /etc/passwd
4

Search for Multiple Strings (Patterns)

Two or more search patterns can be joined using the OR operator |.

By default, grep interprets the pattern as a basic regular expression where the meta-characters such as | lose their special meaning, and their backslashed versions must be used.

In the example below we are searching all occurrences of the words fatal, error, and critical in the Nginx log error file:

grep 'fatal\|error\|critical' /var/log/nginx/error.log

If you use the extended regular expression option -E (or --extended-regexp) then the operator | should not be escaped, as shown below:

grep -E 'fatal|error|critical' /var/log/nginx/error.log

Quiet Mode

The -q (or --quiet) tells grep to not write anything to the terminal (standard output). If a match is found, the command will exit with status 0. This is useful when using grep in shell scripts where you want to check whether a file contains a string and perform a certain action depending on the result.

Here is an example of using grep in a quiet mode as a test command in an if statement:

if grep -q PATTERN filename
then
    echo pattern found
else
    echo pattern not found
fi

Basic Regular Expression

GNU Grep has two regular expression feature sets, Basic and Extended. By default, grep interprets the pattern as a basic regular expression.

When used in basic regular expression mode, all other characters except the meta-characters, are actually regular expressions that match themselves. Below is a list of most commonly used meta-characters:

  • Use the ^ (caret) symbol to match expression at the start of a line. In the following example, the string ^kangaroo will match only if it occurs at the very beginning of a line.

    grep "^kangaroo" file.txt
  • Use the $ (dollar) symbol to match expression at the end of a line. In the following example, the string kangaroo$ will match only if it occurs at the very end of a line.

    grep "kangaroo$" file.txt
  • Use the . (period) symbol to match any single character. For example, to match anything that begins with kan then has two characters and ends with the string roo, you could use the following pattern:

    grep "kan..roo" file.txt
  • Use [ ] (brackets) to match any single character enclosed in the brackets. For example, find the lines that contain accept or “accent, you could use the following pattern:

    grep "acce[np]t" file.txt
  • Use [^ ] (brackets) to match any single character enclosed in the brackets. The following pattern will match any combination of strings containing co(any_letter_except_l)a, such as coca, cobalt and so on, but will not match the lines containing cola,

    grep "co[^l]a" file.txt

To escape the special meaning of the next character, use the \ (backslash) symbol.

Extended Regular Expressions

To interpret the pattern as an extended regular expression, use the -E ( or --extended-regexp) option. Extended regular expressions include all of the basic meta-characters, along with additional meta-characters to create more complex and powerful search patterns. Below are some examples:

  • Match and extract all email addresses from a given file:

    grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
  • Match and extract all valid IP addresses from a given file:

    grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt

The -o option is used to print only the matching string.

To print a specific number of lines before matching lines, use the -B ( or --before-context) option.

For example, to display five lines of leading context before matching lines, you would use the following command:

grep -B 5 root /etc/passwd

To print a specific number of lines after matching lines, use the -A ( or --after-context) option.

For example to display five lines of trailing context after matching lines, you would use the following command:

grep -A 5 root /etc/passwd

Conclusion

The grep command allows you to search for a pattern inside of files. If a match if found, grep will print the lines containing the specified pattern.

There’s lots more to learn about Grep at Grep User’s Manual page.

If you have any questions or feedback, feel free to leave a comment.