Skip to main content
Version: v4.14

files

Shows file information for a given directory.

Synopsis

files [<directory>] [-r|--recurse-directories]
[--follow-directory-symlink]
[--skip-permission-denied]

Description

The files operator shows file information for all files in the given directory.

<directory>

The directory to list files in.

Defaults to the current working directory.

-r|--recurse-directories

Recursively list files in subdirectories.

Follow rather than skip directory symlinks.

--skip-permission-denied

Skip directories that would otherwise result in permission denied errors.

Schemas

Tenzir emits file information with the following schema.

tenzir.file

Contains detailed information about the file.

FieldTypeDescription
pathstringThe file path.
typestringThe type of the file (see below).
permissionsrecordThe permissions of the file (see below).
ownerstringThe file's owner.
groupstringThe file's group.
file_sizeuint64The file size in bytes.
hard_link_countuint64The number of hard links to the file.
last_write_timetimeThe time of the last write to the file.

The type field can have one of the following values:

ValueDescription
regularThe file is a regular file.
directoryThe file is a directory.
symlinkThe file is a symbolic link.
blockThe file is a block device.
characterThe file is a character device.
fifoThe file is a named IPC pipe.
socketThe file is a named IPC socket.
not_foundThe file does not exist.
unknownThe file has an unknown type.

The permissions record contains the following fields:

FieldTypeDescription
ownerrecordThe file permissions for the owner.
grouprecordThe file permissions for the group.
othersrecordThe file permissions for others.

The owner, group, and others records contain the following fields:

FieldTypeDescription
readboolWhether the file is readable.
writeboolWhether the file is writeable.
executeboolWhether the file is executable.

Examples

Compute the total file size of the current directory:

files -r
| summarize total_size=sum(file_size)

Find all named pipes in /tmp:

files -r --skip-permission-denied /tmp
| where type == "symlink"