If I run iostat -x 1 I saw ocassionally large 5MB to 10MB writes.
What files are being written?
I want to check the recently created files with size over 5MB for example.
How would I do so?
Asked
Active
Viewed 6,789 times
2 Answers
10
Find file modified within X minute under /path
find /path -cmin -X
Sign before minute:
+ more than X minutes / over X minutes
- less than X minutes / within X minutes
(no sign) exact
Example: find all files in /var/log (including sub-dir) modified within last 30min
find /var/log -cmin -30
Find file with size bigger X under /path
find /path -size +X<unit>
Sign before size:
+ larger than
- less than
(no sign) exact
<unit> :
b = block (default,512byte)
c = byte
w = word (2-byte)
k = kbyte
M = Mbyte
G = Gbyte
Example: find all files in /var/log (including sub-dir) bigger than 50k
find /var/log -size +50k
Combine
Example: find all files in /var/log (including sub-dir) bigger than 50k modified within last 30min
find /var/log -cmin -30 -size +50k
If you want to include 50k in your result, change to
find /var/log -cmin -30 -size +49k
PS: Avoid doing find / ..... as not only it will take a long time, it also include directories(/dev, /sys, /proc, ...) generally not suitable for search.
John Siu
- 4,765
1
With find you have to actively search for files on the file system and trust their time stamps.
The altenative on a recent linux system is inotify. In that case the kernel watches for file system changes as they happen and you can query them for example with inotifywait -m.
That should give you a good idea what is going on in real time.
The inotify approach does not work well when recursively monitoring large directory trees. In that case find will give you an idea what directories to monitor.
michas
- 21,510
lsof | grep /will display at the same time the io is showing a big write – Olivier Dulac Jan 08 '13 at 04:50-cmininstead of-mmin? – michas Jan 08 '13 at 07:47