As an experienced Linux systems administrator, efficiently listing and searching files by timestamps is one of my most frequently used skills. Whether needing to analyze logs, identify changed configurations, restore previous versions or clean up stale data – leveraging file date metadata is invaluable.

In this comprehensive reference guide, we will explore the key commands and methodologies to effectively list, filter and take action on Linux files based on modification, access and change times.

Topics include:

  • Date listing commands like ls, find and stat
  • Using access, modification and change times
  • Finding files between date ranges
  • Timestamp format best practices
  • Setting up automatic file lists

By the end, you will have extensive knowledge to wield the full power of Linux file timestamps for everything from troubleshooting and forensics to backups and system maintenance.

Key File Timestamps: atime, mtime, ctime

To understand how to best search by date, we must first examine the 3 timestamps associated with every inode on a Linux file system.

Table 1: Overview of Key Linux File Timestamps

Timestamp Description Updated When Use Cases
atime Last Access Time Reading contents Identify inactive files
mtime Modification Time Changing contents Restore previous versions
ctime Metadata Change Time Updating metadata like permissions Diagnose configuration changes

Access Time (atime)

This timestamp stores the last time the actual contents of a file or directory were accessed. Anytime a file is opened or read, atime is updated with the current system time.

Access times are useful for finding inactive or rarely used files to archive or delete to recover wasted space.

Modification Time (mtime)

This timestamp indicates the last time the contents of a file were changed. Writing, appending or editing a file updates mtime.

Analyzing modification times assists with everything from determining the date of log entries to restoring previous file versions.

Metadata Change Time (ctime)

This timestamp represents when a file‘s inode or directory listing metadata was last changed. Operations like permissions updates, ownership changes and renames impact ctime.

Reviewing ctime can reveal important audit information about configuration alterations if they didn‘t update modification data.

Now that we understand what file timestamps exist and represent, let‘s explore how to actually list files by dates using various Linux tools.

Listing Files by Date with ls

The humble ls command has several useful options for displaying files sorted by last modification and access times.

List by Modification Date

To show files ordered chronologically from most recent modification, use the -t flag:

ls -lt

Prefix with -l for additional details in the long listing format:

ls -lt

Reverse sort order with oldest modified files first via -r:

ls -ltr

For example, to view my home directory contents sorted with newest files on top:

$ ls -lt ~/data/
total 453M
-rw------- 1 user group 153M Feb 28 12:34 database-20230228.backup  
drwxr-xr-x 2 user group 4.0K Feb 27 09:12 logs
-rw-rw-r-- 1 user group 302M Feb 05 16:22 archive.tar.gz

As expected, the February 28th backup file is at the top since that was the most recent modification.

List Files by Last Access Date

To display file listings ordered by the last time they were opened or read instead, use the -u flag:

ls -lut

For instance:

$ ls -lut ~/data 
total 453M   
-rw-rw-r-- 1 user group 302M Feb 05 16:22 archive.tar.gz
drwxr-xr-x 2 user group 4.0K Jan 01 09:12 logs  
-rw------- 1 user group 153M Jan 15 12:34 database-20230115.backup

Here we see the archive.tar.gz comes first in the listing as it was most recently accessed back on February 5th.

So ls provides simple access and modification date sorting to quickly check directories. Next let‘s see more advanced search capabilities with find.

Locating Files by Date with find

The find command offers extremely powerful and precise options to search filesystems based on access, change and modification times using timestamp tests like -atime, -mtime and -ctime.

We will cover numerous examples of matching files by various date conditions with find.

List Files By Specific Modified Date

To find files modified on a certain date, provide the exact date in YYYY-MM-DD format to -newermt:

find /home -newermt 2023-02-05

Similarly for a specific access date:

find /var/log -atime 2023-01-01

And change time:

find /etc -ctime 2023-02-15

This locates any files with metadata altered on Feb 15th 2023.

Search By Days/Minutes Ago

One of the most common needs is locating files that were modified or accessed within the last N days.

Here are some examples:

By Modification Days Ago

# Modified in last day
find /opt -mtime -1 

# Modified over 7 days ago 
find /usr -mtime 7

By Access Days Ago

# Accessed in past 4 days
find ~ -atime -4

# Not accessed in over 90 days
find /media -atime +90

By Minutes Ago

The -mmin test checks access or modification times in minute increments:

# Modified last 5 mins
find ~ mtime -5 

# Not accessed in over 120 mins  
find /downloads ! -amin -120

This enables extremely precise file searches based on timestamp dates and times.

Identify Files Between Date Ranges

A powerful technique is using conditional tests to identify files falling between two dates or times.

For example, here is how to list files modified between two datetimes:

find /data -newermt "2023-02-15 08:00" ! -newermt "2023-02-17 19:00"

Breaking this down:

  • /data start find here
  • -newermt modified AFTER this date+time
  • ! -newermt NOT modified after this cutoff time

So we locate files changed between 8AM Feb 15 and 7PM Feb 17.

This works similarly with access times:

find /var/tmp -atime -5 ! -atime -1

Finds files accessed over 24 hours ago, but within past 5 days.

Leveraging these conditional date ranges is extremely helpful for targeting analysis to precise incidents and events.

Viewing File Timestamps with stat

Beyond just listing files by date, having the ability to directly view access, modification and change times can assist troubleshooting.

The stat command reveals extensive inode details for a file, including all 3 timestamps:

stat myfile.txt  

  File: myfile.txt
  Size: 527       Blocks: 8          IO Block: 4096   regular file
Device: ca03h/51779d    Inode: 20662754      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/ john)   Gid: ( 1000/  john)
Access: 2023-02-28 15:26:23.204302998 +0000
Modify: 2023-02-28 13:36:00.132918156 +0000  
Change: 2023-02-28 13:42:56.596071203 +0000
 Birth: -

This provides modification, access and change times in UTC with nanosecond precision – extremely helpful when needing to analyze down to the second.

Using Date Ranges More Efficiently

Continuing on usingaccessible date ranges for targeting searches, a very efficient method is chaining finds together with xargs:

find / -mtime -5 -print0 | xargs -0 -I{} find {} -newermt "2023-02-01" ! -newermt "2023-02-05"

Breaking this multistep pipe down:

  1. Find files modified within past 5 days
  2. Print filenames delimited by null chars
  3. Pass file list into a chained find limiting by date boundaries

This avoids needing to run find against the full filesystem multiple times. By passing in the recent files list, we surgically extract just the portion meeting data range criteria.

In addition, the null delimiters protect strange filenames – avoiding parsing and matching errors.

For regularly occurring searches, wrap the commands in a script to simplify running them.

Understanding File Timestamp Internals

While the functionality of atime, mtime and ctime is critical, understanding what happens behind the scenes can assist configuring systems optimally.

In Linux, timestamps are stored as metadata structures associated with inodes representing files and directories. Specifically as nansecond resolution integers tracked relative to UNIX epoch time (January 1, 1970).

This integer format enables extremely efficient sorting and comparisons programatically.

By default, many of these timestamps like mtime and ctime are logged synchronously – forcing commits to physical storage prior to reporting file operations as complete. This guarantees integrity at the expense of some performance.

However atime tracking involves more tradeoffs…

noatime Mount Option

By default, Linux will update the atime timestamp any time a file is merely read – not just modified. This atime synchronous tracking ensures accurate last access data.

But for frequently accessed files, these continual atime updates generate excessive storage IO. Launching thousands of writes just to record last read times.

To avoid this IO overload, we can mount file systems with noatime. This prevents almost all atime updates greatly increasing performance.

However, it means access times are no longer reliable indicators of actual last usage on noatime mounts. A notable downside for forensic analysis.

There are also relatime and strictatime options balancing these tradeoffs differently.

Understanding the low level repercussions of timestamp tracking allows optimizing your filesystems for priorities around speed vs accuracy.

Customizing Timestamp Formats

When listing files by date, output formatting is important for both human readability and programmatic parsing.

For display to humans, ISO 8601 formats dates chronologically:

ls --time-style=long-iso
# Dates like 2023-02-15 13:25:30

For script usage, Epoch timestamps sort efficiently:

ls --time-style=+%s
# Dates like 1676444730 

And customize find formats:

find /tmp -daystart -printf ‘%TY-%Tm-%Td %p\n‘ 
# 2023-02-15 myfile

Choose formats appropriate for your use case – whether human or application consumption.

Regular File Listing Reports

Listing files by date criteria is extremely helpful for monitoring patterns across servers.

Setup daily cron jobs to email filtered file lists for review:

Recently Changed Config Files

# List files changed in last 20 minutes
find /etc -mmin -20 > /reports/etc-changes.txt

Large Log Files

# List logs over 50M modified in the last week  
find /var/log -size +50M -mtime -7 > /reports/large-logs.txt

Old Temporary Data

# List temp files not accessed for 6 months
find /tmp ! -atime -180 > /reports/old-tmp-data.txt  

Consistent automatic reporting provides insight into configuration drift and accumulation of stale data.

Conclusion

As we have seen, leveraging access, modification and metadata change times can form the foundation for many types of Linux file analysis.

Getting hands-on practice with the core utilities like ls, find and stat provides the skills to wield this timestamp information for use cases like:

  • Diagnosing issues by identifying recent changes
  • Restoring previous file versions
  • Cleaning up stale and unused data
  • Optimizing performance via mounts
  • Automating maintenance with cron

I hope this guide gives you a expert-level reference to listing files by date in Linux! Let me know in the comments if you have any other favorite timestamp tricks.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *