Hi,
Is there any way we can find out which process is creating a partucular datafile.I know the user and group but i am just curios to know is there any way to find the process.
Thanks
You can try lsof command. But the command is only available in few flavours of unix.
I guess you can try fuser -u filename as well.
May be better/other options may be available with the masters here:o
Which OS are you running?
lsof is available for any unix, just gotta download it, but that will only tell you if a currently running process has an open handle to your file.
If the process is finished and you are trying to find what created the file, you'd have to go to audit logs. If you have enabled system call auditing you can track back to a process id and from there identify what created that process but that's pretty painful.
If the process is still running, even without lsof it's pretty easy to locate, but exact method depends on the OS.
With lsof, just run:
lsof <filename>
AIX unix
I used lsof <filename>.i am getting the following warning.
lsof: WARNING: access /home/user/.lsof_etlp8001: No such file or directory
lsof: WARNING: created device cache file: /home/user/.lsof_etlp8001
If i open the above file i am getting so much information like below
3 sections, dev=8000000a00000004
device section: 460
8000000100000000 2008 /dev/tty
8000000200000000 278 /dev/mem
8000000200000001 277 /dev/kmem
8000000200000002 279 /dev/null
8000000200000003 308 /dev/zero
8000000200000004 281 /dev/pmem
8000000300000000 280 /dev/nvram
8000000400000000 260 /dev/console
8000000500000000 2602 /dev/systrace
8000000500000001 2603 /dev/systrctl
8000000600000000 261 /dev/error
8000000600000001 262 /dev/errorctl
8000000700000000 298 /dev/sysdump
8000000700000001 299 /dev/sysdumpctl
8000000700000002 301 /dev/sysdumpnull
8000000700000003 300 /dev/sysdumpfile
8000000800000000 258 /dev/audit
8000000a00000000 257 /dev/__vg10
8000000a00000000 295 /dev/rootvg
8000000a00000000 2009 /dev/IPL_rootvg
8000000a00000001 220 /dev/ipl_blv
8000000a00000002 221 /dev/rhd6
8000000a00000003 288 /dev/rhd8
8000000a00000004 10 /dev/rhd4
8000000a00000005 286 /dev/rhd2
8000000a00000006 289 /dev/rhd9var
8000000a00000007 287 /dev/rhd3
8000000a00000008 284 /dev/rhd1
8000000a00000009 285 /dev/rhd10opt
8000000a0000000a 2206 /dev/rperflv
8000000a0000000b 2209 /dev/rlg_dumplv
8000000a0000000c 2231 /dev/rpaging00
8000000a0000000d 2517 /dev/rpaging01
8000000a0000000e 2608 /dev/ritmlv
8000000a0000000f 2616 /dev/rcorelv
8000000b00000000 302 /dev/vio0
8000000c00000000 259 /dev/clone
please help me:
how can we find which process create which file or
how can find that file_name1 created by which process.
Is this continuation of the previous post ? ( I don't think so. )
If not, this should be as a new thread 
Don't worry about the above, it's just telling you that it's not been run before and it's creating a cache of available devices to speed it up next time round.
That's weird...
The 'normal' output from lsof when run like that is this:
# lsof /usr/lib/libc.so.1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 63 henry txt VREG 85,110 1157932 253163 /usr/lib/libc.so.1
sh 7595 root txt VREG 85,110 1157932 253163 /usr/lib/libc.so.1
sh 7596 root txt VREG 85,110 1157932 253163 /usr/lib/libc.so.1
sshd 14890 root txt VREG 85,110 1157932 253163 /usr/lib/libc.so.1
sshd 14914 fred txt VREG 85,110 1157932 253163 /usr/lib/libc.so.1
...