Linux – Command: find and delete log files – deep explanation

Kudos for trying to understand the command using the manual first. I'll try and explain how the command works by referring to each section of the manual located here.

The command essentially does the following things. 1) It looks inside a path specified by the $LOG_PATH variable for regular files that have been modified more than 60 days prior. 2) For each valid result, it prints the filename and then executes the rm command on the file.

The detailed breakdown is as follows. The find command has a basic syntax which looks like this (a few advanced options have been omitted for clarity):

find [starting-point...] [expression]

The starting point is a path, such as /home or documents/. The manual says:

GNU find searches the directory tree rooted at each given starting-point by evaluating the given expression from left to right, according to the rules of precedence...

In your case, this starting point is specified by the variable $LOG_PATH. This variable is expected to contain a value that is valid path.

Now that find knows where to look for files, the next step is to evaluate the expressions given. Again, referring back to the manual:

The part of the command line after the list of starting points is the expression. This is a kind of query specification describing how we match files and what we do with the files that were matched.

For simplicity, we will consider the two types of expressions that appear in your command: tests and actions.

Tests return a true or false value, usually on the basis of some property of a file we are considering.

Actions have side effects (such as printing something on the standard output) and return either true or false, usually based on whether or not they are successful.

The tests in this case are the -type f and the -mtime +60 expressions. The -type test checks that a file is of a certain type. -type f checks if a file a regular file. Other variations include -type d to check for directories, and -type l to look for symbolic links.

The -mtime +60 test is a bit more involved. It checks if a file's data/contents were modified more than 60 days ago. There is a complication here: find ignores the fractions involved in calculating the modified time. As a result, a file would actually need to be modified 61*24 hours ago to successfully pass this test. The time is calculated from the time when the command is executed, and is not based on calendar days.

The next expression in your find command is an action: -print. With the -print action, the filename of each file that passes the -type and -mtime tests is printed to standard output (one file per line). This essentially gives you the result of find: a list of files, which pass the test conditions you have specified.

The final part of your find command is also an action: -exec. The -exec action runs the specified command on each result of find. In your case, this is the rm command, which removes the file. The curly braces ({}) specify where the name of the file is to be substituted. This results in a command of the form rm /path/to/target/file. The semicolon at the end specifies that the command specified by -exec should be executed once for each matched file. Because the semicolon is a special character for the shell as well, it is escaped by prefixing a backslash.