How to set (find) atime in seconds

command linefilesfindtimestamps

How do I set -atime in milliseconds, seconds, or minutes? The default is days:

-atime n
File was last accessed n*24 hours ago. When find figures out how many 24-hour periods ago the file was last accessed, any fractional part is ignored, so to match -atime +1, a file has to have been accessed at least two days ago.

I'd like to run a cron job, say, hourly to check if files in a particular directory have been accessed within that time frame. Entering time as a decimal doesn't seem to work, i.e.

find . -atime 0.042 -print

But maybe there is a better solution anyway – another command perhaps? Or perhaps this can't be done.. for finding files modified in last x minutes there is -mmin that allows setting the time in minutes. Perhaps the absence of such option for the access time implies that information is not stored the same way?

I'm using Ubuntu 16.04.

Best Answer

Note that when you do -mtime <timespec>, the <timespec> checks the age of the file at the time find was started.

Unless you run it in a very small directory tree, find will take several milliseconds (if not seconds or hours) to crawl the directory tree and do a lstat() on every file. So having a precision of shorter than a second doesn't necessarily make a lot of sense.

Also note that not all file systems support time stamps with subsecond granularity.

Having said that, there are a few options.

With the find of many BSDs and the one from schily-tools, you can do:

find . -atime -1s

To find files that have been last accessed less than one second ago (compared to when find was started).

With zsh:

ls -ld -- **/*(Dms-1)

For subsecond granularity, with GNU tools, you can use a reference file whose atime you set with touch:

touch -ad '0.5 seconds ago' ../reference
find . -anewer ../reference

Or with recent versions of perl:

perl -MTime::HiRes=lstat,clock_gettime -MFile::Find -le '
  $start =  clock_gettime(CLOCK_REALTIME) - 0.5;
  find(
    sub {
      my @s = lstat $_;
      print $File::Find::name if @s and $s[8] > $start
    }, ".")'

Related Solutions

What does altering a file/directory mean

I'll try to answer your questions in a different order. What does altering a file mean ?

Altering means whenever you modify and update the content of the file (modify in linux). If we look at ntfsundelete source code we can clearly see what the authors have marked as alter:

ntfsundelete.h line 72:

time_t         date_a;    /*  altered */

ntfsundelete.c line 1002, 1045:

name->date_a     = ntfs2timespec(attr->last_data_change_time).tv_sec;

last_data_change_time is also explained in linux/fs/ntfs/inode.c line 674:

      * mtime is the last change of the data within the file. Not changed
      * when only metadata is changed, e.g. a rename doesn't affect mtime.
      */
      vi->i_mtime = ntfs2utc(si->last_data_change_time);

Question nr. 2:

List of actions that change a directory modification time:

Linux

Windows

Question nr.1:

No, deleting a file does not count as altering it. So if you created a file more than two days ago and didn't change it until yesterday when you deleted it the command won't be able to recover it.

Here is a test on my NTFS partition. I had three .jpg files with mtime as follows:

brr.jpg 2012-05-21
IMG_2001.JPG 2012-05-21
s640x480.jpg 2011-03-18

I modified IMG_2001.JPG with MSPaint and saved it so modification time changed to today: 2012-08-26. I then deleted (SHIF+DELETE) all three files and rebooted in Linux.

Running ntfsundelete without --time switch (altered time not taken into account) prints out a long list of files starting with the above three files:

ntfsundelete /dev/sda1 -m '*.jpg'

Inode    Flags  %age  Date           Size  Filename
---------------------------------------------------------------
72801    FN..   100%  2012-05-21   1055334  brr.JPG
72822    FN..   100%  2012-08-26   1034072  IMG_2001.JPG
72826    FN..   100%  2011-03-18     52333  s640x480.jpg
.....    ....   ....  ..........   .......  ............

Files with potentially recoverable content: 1631

Running ntfsundelete with --time d1 switch (so for files altered in the last 1 day) prints out only one file, namely the one I have just modified before deleting all three of them:

ntfsundelete /dev/sda1 -m '*.jpg' -t 1d

Inode    Flags  %age  Date           Size  Filename
---------------------------------------------------------------
72822    FN..   100%  2012-08-26   1034072  IMG_2001.JPG

Files with potentially recoverable content: 1

GNU find -[cma]time option and daylight saving time

For -daystart the manual says:

-- Option: -daystart

Measure times from the beginning of today rather than from 24 hours ago. So, to list the regular files in your home directory that were modified yesterday, do
find ~/ -daystart -type f -mtime 1
The '-daystart' option is unlike most other options in that it has an effect on the way that other tests are performed. The affected tests are '-amin', '-cmin', '-mmin', '-atime', '-ctime' and '-mtime'. The '-daystart' option only affects the behaviour of any tests which appear after it on the command line.

What that means that if you run:

find . -daystart -mtime 1

on the day after the winter changing time (2015-10-25 in Europe this year), that should give you the files last modified between 2015-10-25 01:00 (the first occurrence of that time) and 2015-10-25 23:59:59.999....

If run as

find . -daystart -mtime 0

on 2015-10-25, you'd expect it to get you the files modified between 00:00 and 22:59:59, but doing a simple test (with findutils 4.4.2) shows that it returns files modified between the first 01:00 and 23:59:59 (unless run before the time change).

$ find . -printf '%TFT%TT %p\n'
2015-09-25T14:28:25.4868761490 .
2015-10-25T00:02:00.0000000000 ./a
2015-10-25T23:43:00.0000000000 ./c
2015-10-25T12:42:00.0000000000 ./b
$ NO_FAKE_STAT=1 faketime -m '2015-10-25 12:23' find . -daystart -mtime 0
./c
./b
$ NO_FAKE_STAT=1 faketime -m '2015-10-25 00:32' find . -daystart -mtime 0
./a
./b
$ NO_FAKE_STAT=1 faketime -m '2015-10-25 12:23' find . -daystart -mtime 1
./a

In any case the statement So, to list the regular files in your home directory that were modified yesterday above is not always true.

Without -daystart, the check is for files modified in units of 24 hours. So if run at 12:43 on 2015-10-25, find . -mtime 0 would give you files modified between 2015-10-24 13:43 and now.

A more reliable way to give you the files that were last modified yesterday would be:

 find . -newermt 'yesterday 0' ! -newermt 'today 0'

Note that it includes the files that were last modified today at 00:00:00.0000000000 and not the ones at that time yesterday. Unfortunately there's no -oldermt predicate.

Note that zsh's age function to use in globs like:

$ autoload age # in ~/.zshrc
$ ls -ld -- *(age,yesterday,)

has similar issues.

Best Answer

Related Solutions

What does altering a file/directory mean

GNU find -[cma]time option and daylight saving time

Related Question