Ubuntu – How does this [t]ricky bracket expression in grep work

bashcommand linegrep

I saw this one-liner recently:

$ ps -ef | grep [f]irefox 

thorsen   16730     1  1 Jun19 ?        00:27:27 /usr/lib/firefox/firefox ...

So it seems to return the list of processes with "firefox" in the data but leaving out the grep process itself, and therefore seems roughly equivalent to:

ps -ef |grep -v grep| grep firefox

I can't understand how it works though. I've looked at the man page on grep and elsewhere but haven't found an explanation.

And to compound the mystery if I run:

$ ps -ef | grep firefox  > data
$ grep [f]irefox data

thorsen   15820 28618  0 07:28 pts/1    00:00:00 grep --color=auto firefox
thorsen   16730     1  1 Jun19 ?        00:27:45 /usr/lib/firefox/firefox ....

the [t]rick seems to stop working!

Someone here will know what's going on I'm sure.

Thanks.

Best Answer

  • The square bracket expression is part of the bash shell (and other shells as well) grep's character class pattern matching.

    The grep program by default understands POSIX basic regular expressions. With that you can define character classes. For example ps -ef | grep [ab9]irefox would find "airefox", "birefox", "9irefox" if those existed, but not "abirefox".

    The command grep [a-zA-Z0-9]irefox would even find all processes that start with exactly one letter or number and end in "irefox".

    So ps -ef | grep firefox searches for lines with firefox in it. Since the grep process itself has "firefox" in it, grep finds that as well. By adding a [], we are only searching for the character class "[f]" (which consists of only the letter "f" and is therefor equivalent to just an "f" without the brackets). The advantage of the brackets now is that the string "firefox" no longer appears in the grep command. Hence, grep itself won't show up in the grep result.

    Because not very many people are familiar with square brackets as character class matching and regular expressions in general, the second result might look a little mysterious.

    If you want to fix the second result, you can use them this way:

    ps -ef | grep [f]irefox  > data
    grep firefox data
    

    (Reference)

  • Related Question