LearnRHCSA (EX200)Exam Orientation + Essential Tools

grep and Regular Expressions

grep - a hands-on Linux lab on a real virtual machine.

Pull exact lines out of any file with grep. Plain matches, the -c, -n, -i, -v, -o, and -r flags, the -E extended form, and the regex metacharacters ^ $ . and character classes. Serves EX200 task 4: write every line matching a pattern into a file with the order preserved.

Open a terminal on a RHEL machine and there is a file that lists every account it knows about: /etc/passwd. It is one line per user, and on a busy server it runs to dozens of lines. Somewhere in that pile is the line for root, the superuser. Reading top to bottom to find it is a waste of the one thing the exam never gives you enough of: time.

There is a command that pulls the exact lines you want out of any file in a single shot. Point it at a pattern, and it prints every line that matches and nothing else. It is called grep, and by the end of this lesson you will use it to answer a real EX200 task: write every line matching a pattern into a file, with the order preserved.

The black boxes below are a practice terminal: a safe sandbox that checks the one command each step teaches. The outputs shown are a real capture from a RHEL 10 machine (AlmaLinux 10.2). Your own /etc/passwd may list different accounts, so the exact lines can vary, but the SHAPE and the moves are what carry to the exam.

grep reads a file (or piped input) one line at a time and prints every line that contains the pattern you give it. A pattern in its simplest form is just plain text: hand grep the word root and it prints every line with root anywhere in it.

The basic form is grep PATTERN FILE. That is the whole shape. You will decorate it with flags and regular expressions for the rest of the lesson, but every single form is still grep, a pattern, and something to search.

The name is not random letters. It comes from an old line editor called ed, where the command g/re/p meant globally search for a regular expression and print the matching lines. That editor command was so useful it was carved out into a standalone program, and the initials stuck: g-re-p.

That history is also your first hint about the second half of this lesson. The re in the middle stands for regular expression. That is a small pattern language for matching shapes of text, not just fixed words: lines that start a certain way, end a certain way, or hold a class of characters. You will meet it after the plain-text drills.

Start with the plainest possible search. You want every line in /etc/passwd that contains the text root. Before you run it, decide what you expect: probably the root account itself, and maybe an account or two whose home directory is /root.

Run it now:

grep root /etc/passwd

prompt: student@servera:~$ answer: grep root /etc/passwd output: root:x:0:0:Super User:/root:/bin/bash operator:x:11:0:operator:/root:/usr/sbin/nologin hint: The form is grep, then the plain word, then the file: grep root /etc/passwd

Two lines, not one. The first is the root account: reading the colon-separated fields, its login shell is /bin/bash, and the fifth field, its description, reads Super User. The second line is operator, and it matched only because its home directory is /root. That is the core behaviour of plain grep: it matches your text ANYWHERE on the line, not just at the start. Hold that thought, because narrowing it down is exactly what regular expressions are for.

Your machine's /etc/passwd may not carry Super User as root's description, and it may list different service accounts. The captured lines above are from the RHEL 10 exam image. What never changes is the mechanic: grep WORD FILE prints every line containing that word.

Sometimes you do not want the lines, you want the number. How many accounts on this machine use the Bash shell? The -c flag turns grep into a counter: instead of printing matching lines, it prints how many there were.

Search for bash and count the hits:

grep -c bash /etc/passwd

prompt: student@servera:~$ answer: grep -c bash /etc/passwd output: 2 hint: Same search, with the count flag: grep, -c, the word bash, then the file.

Two. On this image, two lines in /etc/passwd contain bash. That single number is the whole answer, no lines printed. -c is the flag you reach for when a task asks how many, not which. One honest caution: -c counts matching LINES, not matches. A line with the word twice still counts once.

When you need to know WHERE in the file a match sits, -n prints the line number in front of each match. That is invaluable when a task says edit the line that mentions something, and you need to jump straight to it in vim.

Find the lines mentioning nologin, the shell handed to accounts that are not meant to log in, and number them:

grep -n nologin /etc/passwd

prompt: student@servera:~$ answer: grep -n nologin /etc/passwd output: 2:bin:x:1:1:bin:/bin:/usr/sbin/nologin 3:daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin 4:adm:x:3:4:adm:/var/adm:/usr/sbin/nologin hint: Add the number flag to your search: grep, -n, nologin, then the file.

Each line now carries its position: the bin account is on line 2, daemon on line 3, adm on line 4, and the list continues down the file. The number and a colon sit in front of the original line. This capture shows the first few; a real machine may have more nologin accounts, so your list runs longer. The value is the move: -n tells you exactly which line to open.

Two more flags earn their place on the exam. -i makes the match case-insensitive, so error, Error, and ERROR all match one search. -v inverts the match: it prints every line that does NOT contain the pattern. -v is how you strip comment lines out of a config file, grep -v '^#' /etc/somefile throws away every line that starts with a #.

You can stack flags into one dash. To search case-insensitively AND show line numbers, write grep -in. Order does not matter, -ni works the same.

grep -v '^#' and its partner grep -v '^

#39; (drop blank lines) are two of the most reused patterns in real Linux work. Chain them with a pipe, grep -v '^#' file | grep -v '^
#39;
, and you get a config file with all the noise removed. That ^ is your first regular expression, and the next step makes it official.

A plain word matches that word anywhere on a line. A regular expression lets you describe the SHAPE of a line instead. These are the metacharacters that matter for the exam:

The two anchors are the ones you will lean on hardest. ^root matches only lines that BEGIN with root, so it drops the operator line you saw earlier, whose root was buried mid-line in /root. And nologin$ matches only lines that END with nologin, which on the exam is the classic way to isolate every account with a disabled shell.

For the richest patterns, add -E, which turns on extended regular expressions. -E unlocks alternation with the pipe (root|adm matches either word), one-or-more with +, and grouping with (), all without the backslash-escaping that plain grep would demand. On the exam, reach for -E the moment a pattern gets complex; it saves keystrokes and mistakes.

Now the real EX200 task 4 move. A task will say something like: write every line ending in nologin into a file. You anchor the pattern with $, run it under -E, and redirect the output with > into the target file. The > sends what grep prints into the file instead of the screen, in the same order grep found it. To confirm the count first, -c under -E reports how many lines will land.

Count the lines ending in nologin:

grep -Ec 'nologin

#39; /etc/passwd

prompt: student@servera:~$ answer: grep -Ec 'nologin

#39; /etc/passwd output: 25 hint: Combine the extended and count flags, and anchor to the line end: grep -Ec, then 'nologin
#39;, then the file.

Twenty-five. On this image, 25 accounts have a shell that ends in nologin, meaning they cannot log in interactively. The $ did the real work: it forced the match to the very end of the line, so a line that merely mentions nologin somewhere in the middle would not count. Swap -c for a > redirect and those same 25 lines land in a file, in file order. That is the graded shape: grep -E 'nologin

#39; /etc/passwd > outfile.

The count 25 belongs to the RHEL 10 exam image. A different machine with different service accounts will report its own number. What transfers is the predicate itself: nologin$ is the exam-classic way to select every non-login account, and pairing it with > writes them to a file in order.

Scaffolding off. No command is shown this time. You have every piece you need.

A task hands you this: write every line of /etc/passwd whose shell ends in /bin/bash into a file called bashusers, keeping the original order. Think about which anchor pins the pattern to the END of the line, and which redirect sends the matching lines into a file instead of the screen.

prompt: student@servera:~$ answer: grep -E '/bin/bash

#39; /etc/passwd > bashusers output: hint: End-of-line anchor is $, and > redirects grep's output into a file. Build grep -E, the anchored pattern '/bin/bash
#39;, the file /etc/passwd, then > bashusers.

Nothing printed to the screen, and that is correct: the > sent every matching line straight into bashusers instead. You anchored /bin/bash$ to the line end so only real login-shell accounts matched, ran it under -E, and redirected the result. The lines land in the file in the same order grep read them, which is exactly what write matching lines to a file, order preserved asks for. Open bashusers afterward and you would see those account lines, top to bottom, untouched. That is EX200 task 4, done the way the grader wants it.

You earned this cheat sheet. Every row is a form you just ran or built:

The one pattern to burn into memory for the exam: nologin$ selects non-login accounts, /bin/bash$ selects real login accounts, and > writes either set into a file exactly as grep found them.

The practice terminal has shown you the shape of grep: plain matches, the -c, -n, -i, and -v flags, and the anchors ^ and $. You also met the -E extended form that powers the write-to-a-file exam move. Every one of those you typed yourself.

The essential-tools module mission is where you run these against a real RHEL 10 machine. A full VM boots for you, with its own /etc/passwd and its own account list. The mission hands you objectives that use exactly what you practiced here: pull lines by pattern, count them, anchor them, and redirect the matches into a file with the order preserved. One difference from this lesson: the mission shows no commands. You read the objective, recall the grep, and type it. That recall is what makes it stick on exam day.

Finish the other essential-tools lessons, then go analyze a real file for yourself.

Practice grep and Regular Expressions in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.