Linux: how can I use find to search for files by date?

I. Introduction

In this tutorial, we will see how to sort files by date using the find command in Linux.

Find is a native command of UNIX systems (it is part of the POSIX standard). It is a very useful command when using the terminal a lot, as it allows you to search the entire system for files and folders according to various criteria.

This command has several filtering and search options. Here we will focus on searching by date, which can be the date a file or folder was last modified or accessed. This type of search is particularly useful when you have a large number of files (usually logs) or want to investigate a specific period (before or after an event).

II. Advanced file and folder attributes

In Linux, all files and folders have attributes. Some of them are well known, such as type (file, socket, folder, symbolic link, etc.), permissions (such asrwxrwxr-x), date of last modification, owner and owner group. These attributes are displayed when using the -a button of the ls command:

But there are other attributes that are usually less well known. Among them are the date of the last access and the inode number. This information can be listed using the stat :

Now that we know that these modification and access attributes exist, we will see how to use them in a filter using the command find.

We will see later that the "created" field is not entirely reliable, or even non-existent in some file systems. That is why the find command does not offer an option to filter by creation date.

III. The syntax of the find command

A classic search with the find command might look something like this:

find /home/mickael/ -type f -name *.txt

This command allows me to search for all files ending in .txt in the /home/mickael. As for the temporal filtering options, we can search for files modified or accessed after a certain number of days, before a certain number of days and precisely a certain number of days ago. The following notations are used for this purpose:

• +N more than N days
• -N less than N days
• N exactly N days

This will be easier to understand with the following information.

A. File search by modification date

We can also search by the date a file was last modified. This is especially useful for finding out if a configuration has been modified recently, and can be used to check the integrity of a file. We will use the -mtime function, for example, to show files modified more than 30 days (1 month) ago:

# Display .txt files created more than 30 days ago
$ find /home/mickael -type f -name "*.txt"  -mtime +30

On the other hand, if I am interested in files created less than a month ago :

# Display .txt files created more than 30 days ago
$ find /home/mickael -type f -name "*.txt"  -mtime -30

Note the difference between +30 and -30. In mtime for "modification time", it shows only files whose last modification occurred more or less than the given number of days ago.

B. File search by access date

We can also use a filter based on the date on which a file was last accessed using the function -atime :

# Display .txt files created more than 1 day ago
$ find /home/mickael -type f -name "*.txt"  -atime +1

On the other hand, if it is files created less than a day ago that I am interested in :

# Display .txt files created more than 1 day ago
$ find /home/mickael -type f -name "*.txt"  -atime -1

In atime for "access time", shows only those files whose last access (read) was more or less than the given number of days ago.

Of course, all these commands also apply to folders. In this case, you must replace -type f for -type d.

C. Filtering by minutes instead of hours

In my last example, we use the minimum possible value for the atime and mtime options, i.e. 1 day. However, sometimes it can be useful to filter on smaller time scales, such as minutes.

The find command contains options for doing so, which are in fact the same as those seen above, except that the word time for min :

• We will use amin instead of atime filter by date of last access in minutes
• We will use mmin instead of mtime filter by date of last modification in minutes

Here are some examples:

# Display .txt files modified less than 30 minutes ago
find /home/mickael -type f -name "*.txt"  -mmin -30

# Display .txt files accessed more than 30 minutes ago
find /home/mickael -type f -name "*.txt"  -amin +30

The only two time scales that can be used with find are, therefore, the minute (mmin, amin) and the day (mtime, atime), which is usually sufficient.

What about the date of creation?

The documentation and help for the find command also offer the -ctime and -cmin options. You might think that the "c" here stands for "creation", but this is not the case. These options concern status changes (or metadata), not file creation. For common Linux file systems, the creation date is not always available or reliable, which is why there are no options in find to filter on it.

Here's an example:

Here, my document2.txt file was created on 2025-03-04 at 21:01:39 as indicated by the stat command. I modify the contents of this file on 2025-03-04 at 21:23:03, then check the advanced attributes again with stat. The change date has been modified, not the creation date (which is normal). I then use the find command with the -cmin option to filter files whose status changed more than three minutes ago, and my document2.txt doesn't appear.

If the -cmin option was valid for creation (which it isn't), my document2.txt should have appeared, as it was created more than three minutes ago. This is a pitfall to be aware of if you want to use the find command effectively.

More concretely, it also identifies changes to file permissions. Changing the permissions, owner or group of a file does not change the date of last modification or access, but the date of change. This can be useful in many contexts.

IV. Search by specific time

If you know the precise time and date you're interested in, or even the time range, it can be used as a search filter. If the search is to be carried out at a specific time, we can use-newerXt with a date and time. Here, the X can be a a (access), a m (modification) or a c (change) :

# Show files with metadata modified after 03/03/2025
find ./ -newerct "2025-03-03"

# Show files modified before 03/03/2025 (reverse search with !)
find ./  ! -newermt "2025-03-03"

# Display files accessed after 21:00 on 03/03/2025
find ./  -newerat "2025-03-03 21:00:00"

The options here are very similar, but note the subtle differences that differentiate between metadata change, modification and access (end of option in at, ct or mt)

As you can see from these examples, it is also possible to perform a reverse or exclusion search (search for files before a specified date) using the character !. We can also specify the hour, minute and second in our filter to be much more precise.

V. Conclusion

All these options make the find command a very powerful tool. Knowing and mastering them can often save you the trouble of scripting or installing third-party tools. The time filtering options we've just seen can of course be used in combination with the other options of the find command, for example :

# Search for files ending in ".log", modified less than 7 days ago and larger than 1 MB in the /var/log directory.
find /var/log -type f -name "*.log" -mtime -7 -size +1M

Finally, it's important to bear in mind that advanced file attributes can be modified manually, which means they're not always 100% reliable. This consideration is important in the field of cybersecurity, where manipulation of these attributes can be used to conceal malicious activity.

I recommend that you take a look at the advanced options for find in addition to what we've just seen! Feel free to share your thoughts on this tutorial in the comments at on our Discord server.

• Man page - Find