Linux Beginner’s Guide Part 4

Filtering Input

grep command is a text filter that searches for the input and returns the text lines by a given pattern.


In order to start the example, use the following command to get to the /Documents/ folder: cd ~/Documents

and then copy the file on which we will make tests, to the current directory: cp /etc/passwd . (note the dot, it’s important!)

next, run the grep command line this:

grep sysadmin passwd

The line that will be returned from the passwd file contains the pattern sysadmin.

Edit passwd file, add more lines that will contain the word sysadmin, then run the grep command and see what happens.

Regular Expressions

Regular expressions have two forms: basic and extended,

Basic regular expressions:

. any one single character

[ ] any one specified character

[^ ] not the specified character

* zero or more of the previous character

^ if the first character in a pattern, the pattern must be at the beginning of the line to match

$ if the last character in a pattern, the pattern must be at the end of the line to match

Extended regular expressions (must be used with grep command or grep -E command):

+ one or more of the previous pattern

? the preceding pattern is optional

{ } specify minimum, maximum or exact matches of a previous pattern

| alteration, a logical “or”

( ) used to create groups

Basic patterns

Regular expressions can be improved in order to match certain sequences of characters in a text.

Anchor characters

Anchor characters are used to mark and filter search result. To prevent the shell from wrong interpretation of the commands the word to be searched for must be placed between ‘ ‘, like in the example below:

grep ‘root’ passwd

How many times the root word is displayed in the output? Correct answer is 4 times.

Run the following command: grep ‘^root’ passwd ( ^ character ensures that the pattern appears at the beginning of each line)

In the next example run cat command to see the contents of passwd file: cat passwd

Run: grep ‘n$’ passwd command and see what will be displayed. $ character ensures that the patterns appears at end of each line.

For example you can run: grep ‘n…..n’ passwd. It will mark all words that starts with n character have any 5 letters inside and ends with n character. You can also try: grep ‘…’ passwd or grep ‘.a..’ passwd and see what will be displayed.

Let’s try to filter numbers: grep ‘[0-9]’ passwd. This command will mark all numbers from 0 to 9.

To negate all numbers from 0 to 9 use the following command: grep ‘[^0-9]’ passwd

Mark special characters: grep ‘[.]’ passwd

To mark 0(zero) or more occurrences of a character: grep ‘s*’ passwd

grep ‘n[bs]s*’ passwd

As we will see later in this tutorial, grep is a very important command and will ease your work a lot if used properly.

Using grep with firewall logs: grep -iE ‘(|DROP|DPT=443|)’ firewall.log
This command will search in firewall.log and will mark the ip or DROP or DPT=443 (destination port 443, port 443 is used by https).

tail or cat commands can be combined with grep or egrep. This way will be outputted only the lines with the requested keywords:

cat | grep -iE ‘(|DROP|DPT=443|)’ firewall.log

tail | grep -iE ‘(|DROP|DPT=443|)’ firewall.log

On other Linux distributions might work as well the following commands, for multiple grep commands combined with cat, tac or tail:

cat firewall.log | egrep -iE “|DROP|DPT=443”

tac firewall.log | egrep -iE “|DROP|DPT=443”

tail firewall.log | egrep -iE “|DROP|DPT=443”

Previous articleLinux Beginner’s Guide Part 3
Next articleLinux Beginner’s Guide Part 5
Author and Assistant Professor in Finance, Ardent fan of Arsenal FC. Always believe "The only good is knowledge and the only evil is ignorance - Socrates"
Notify of
Inline Feedbacks
View all comments