> some people will be along any second pointing out your approach limits your ability to use "grep" and "cat" on your log

And they won’t be wrong.

Unix philosophy still applies

sqlite3 logs.db "select log from logs" | grep whatever

by the same argument the systemd binary logs also follow the unix philosophy

As per the example above, for all practical purposes it does.

Indeed they do.

How would you tail or watch a sqlite log? (on a pdp-11 if necessary :)

Write a program using

https://www.sqlite.org/c3ref/update_hook.html

On a PDP-11, run this program via telnet, rsh, or rexec.

If you're more ambitious, porting SQLite to 2.11BSD would be a fun exercise.

Update hook doesn't trigger if the write happened from a different process.

Interesting, that's a requirement for an out of band tailing tool.

Maybe a user defined function bound to an INSERT trigger. But I believe that functions are also connection specific which is fine for the tail tool, but what happens when the user defined function connection goes away.

Nope. Triggers and user defined functions don't help across processes either.

`watch -n 5 sqlite3 logs.db "select log from logs" | grep whatever`

Just what I wanted, additional overhead and a five-second delay.

> Careful, some people will be along any second pointing out your approach limits your ability to use "grep" and "cat" on your log after recovering it

I wish Splunk and friends would have an interface like that. Sure it does basic grep, and it is a much more powerful language, but sometimes you just needed some command line magic to find what you wanted.

I've learned so much about Splunk this month. I hate it. The UX is hot garbage. Why are settings scattered everywhere? Why does a simple word search not return any results? Why is there no obvious way to confirm data is being forwarded; like actual packets, not just what connections are configured.

Is there a way to mount the sqlite tables as a filesystem?