What is Grep?
grep (Global Regular Expression Print) reads text line by line and prints every line that matches a pattern. Created by Ken Thompson in 1973, it is the cornerstone of Unix text processing.
Mental model: grep is a line-level filter. Data streams in from a file or pipe; only matching lines stream out. Everything else is silently discarded.
Input stream (file/pipe)
↓ Line 1: "DEBUG: user logged in" → discarded
↓ Line 2: "ERROR: connection refused" → printed ✓
↓ Line 3: "INFO: retry scheduled" → discarded
↓ Line 4: "ERROR: timeout after 30s" → printed ✓
↓
Output stream
Three Ways to Give grep Data
1. From a file:
grep "ERROR" /var/log/app.log
2. From multiple files (auto-prefixes filename):
grep "ERROR" /var/log/app.log /var/log/nginx/error.log
3. From a pipe (real-time filtering):
# Filter running processes
ps aux | grep "nginx"
# Watch logs live
tail -f /var/log/app.log | grep --line-buffered "FATAL"
# Filter command output
docker ps -a | grep "Exited"
Exit Codes — Why They Matter in Scripts
grep "pattern" file # exit 0: found, exit 1: not found, exit 2: error
Use this in if statements without capturing output:
# Health check: did the service crash?
if grep -q "FATAL" /var/log/app.log; then
systemctl restart myapp
echo "Restarted after fatal error" | mail -s "Alert" ops@example.com
fi
What grep Can and Cannot Do
| Task | grep | Better Tool |
|---|---|---|
| Filter lines by pattern | ✅ | — |
| Count matching lines | ✅ -c | — |
| Show surrounding context | ✅ -C N | — |
| Search directories | ✅ -r | rg (faster) |
| Parse JSON | ⚠️ Limited | jq |
| Replace text | ❌ | sed |
| Column/field extraction | ❌ | awk |
| Search code repos | ⚠️ Slow | rg |