tenzir VS Apache Arrow

We're building something similar at Tenzir, but more for operational security workloads. https://docs.tenzir.com

Differences to Vector:

- An agent has optional indexed storage, so you can store your data there and pick it up later. The storage is based on Apache Feather, Parquet's little brother.

- Pipelines operators both work with data frames (Arrow record batches) or chunks of bytes.

- Structured pipelines are multi-schema, i.e., a single pipeline can process streams of record batches with different schemas.

Tenzir | Remote (EU) or Hamburg, Germany | open-core | Full-time | https://tenzir.com

Tenzir is hiring several key engineering roles to meet the needs in expanding the team. Our product: security data pipelines. From the data side, think of it as an Arrow-native, multi-schema ETL tool that offers optional storage in Parquet/Feather. From the security perspective, think of it as a solution for collecting, parsing, transforming, aggregating, and routing data. We typically sit between the data sources (endpoint, network, cloud) and sinks (SIEM, data lake).

Our open-source execution engine is C++20 (https://github.com/tenzir/tenzir), our platform is SvelteKit and TypeScript. Experience with data-first frontend apps is a great plus. Open positions at https://tenzir.jobs.personio.de:

    - Fullstack Engineer

We're in the middle of getting TQL v2 [] out of the door with support for expressions and more advanced control flow, e.g., match-case statements. There's a blog post [#] about the core design of the engine as well.

While it's a general-purpose ETL tool, we're targeting primary operational security use case where people today use Splunk, Sentinel/ADX, Elastic, etc. So some operators are very security'ish, like Sigma, YARA, or Velociraptor.

[] https://github.com/tenzir/tenzir/blob/64ef997d736e9416e859bf...

[#] https://docs.tenzir.com/blog/five-design-principles-for-buil...

Hey, founder of Tenzir [1] here — We are building an open-core pipeline-first security data engine that can massively reduce your Splunk costs. Even though we go to market "mid stream" we have a few users that use us as light-weight SIEM (or more accurately, just plain log management).

We are still in early access to browse through our docs or swing by our Discord.

[1] https://tenzir.com | https://docs.tenzir.com

Download VAST v3.1 here: https://github.com/tenzir/vast/releases/tag/v3.1.0

Tenzir is a funded seed-stage startup that builds a next generation data-plane for plug-and-play security operations. Our mission is to empower defenders with an open data engineering platform to perform data-driven investigations through combination best-of-breed solutions. Our stack consists of the high-performance C++20 telemetry engine VAST, a Rust API, and a ReasonML-based frontend.

I had chat with Hannes, the DuckDB co-founder, a few weeks ago. They are building awesome stuff to become the "SQLite of OLAP". The team comes with a strong academic background and is tuned into the data engineering world.

At Tenzir, we looked at DuckDB as embeddable backend engine to do the heavy lifting of query execution of our engine [1]. Our idea is throwing over a set of Parquet files, along with a query; initially SQL but perhaps soon Substrait [2] if it picks up.

We also experiment with a cloud deployment [3] where a different set of I/O path may warrant a different backend engine. Right now, we're working on a serverless approach leveraging Datafusion (and depending on maturity, Ballista at some point).

My hunch is that we will see more pluggability in this space moving forward. It's not only meaningful from an open-core business model perspective, but also pays dividends to the UX. The company that's solving a domain problem (for us: security operations center infrastructre) can leverage a high-bandwidth drop-in engine and only needs to wire it properly. This requires much less data engineers than building a poorman's version of the same inhouse.

We also have the R use case, e.g., to write reports in Rmarkdown that crunch some customer security telemetry, highlighting outliers or other noteworthy events. We're not there yet, but with the right query backend, I would expect to get this almost for free. We're close to being ready to use Arrow Flight for interop, but it's not zero-copy. DuckDB has demonstrated the zero-copy approach recently [4], going through the C API. (The story is also relevant when doing s/R/Python/, FWIW.)

[1] https://github.com/tenzir/vast

To this end, we build the high-performance telemetry engine VAST, which at its core, ingests hundreds of thousands of events per second from high-volume data sources (such as network telemetry as NetFlow, Zeek, Suricata, and endpoint telemetry from various agents). To the user, VAST offers low-latency access through various APIs, and in particular Apache Arrow for high-bandwidth data sharing with downstream tooling. A flexible plugin API enables additional security-specific use cases on top, such as realtime matching of threat intelligence or mining of asset data for passive inventorization.

Tenzir | C++, ReasonML, Rust, Python | Remote | Open-source | Full-time | https://tenzir.com

Tenzir is a funded seed-stage startup that builds a next generation data-plane for plug-and-play security operations. Our mission is to empower defenders with an open platform to perform automated data-driven investigations through combination best-of-breed solutions. Our stack consists of the high-performance C++ database VAST (https://github.com/tenzir/vast), a Rust API, and a ReasonML-based frontend.

Our open engineering positions include:

- Database: https://tenzir.com/career/backend-engineer/

- DevOps: https://tenzir.com/career/devops-platform-engineer/

- Frontend: https://tenzir.com/career/frontend-engineer/

We are based out of Hamburg, Germany, but cultivate an agile remote-first mindset. If you live in the region and look for a System Administrator, we’d love to hear from you!

For any questions, feel free to reach out to us at [email protected].

We at Tenzir (https://tenzir.com/) are an early-stage startup that build a next generation data-plane for modern Security Operations Centers. We are looking for a frontend engineer to help us enhance the web interface to VAST (our open-core telemetry engine, https://github.com/tenzir/vast). In our stack, we use C++ for VAST , Rust and ReasonML (compiled to JS) in our API-Layer, and ReasonML on the frontend. Our website is written in ReasonML with the help of Gatsby. Our team cultivates a mindset of strong typing and functional programming, practiced end-to-end across the entire stack. We're a remote-first company, scattered across Europe. Ideally looking for someone within (+ / -) 4hrs timezone.

In comes Polars: a brand new dataframe library, or how the author Ritchie Vink describes it... a query engine with a dataframe frontend. Polars is built on top of the Arrow memory format and is written in Rust, which is a modern performant and memory-safe systems programming language similar to C/C++.

I learned yesterday about GoLang's assembler https://go.dev/doc/asm - after browsing how arrow is implemented for different languages (my experience is mainly C/C++) - https://github.com/apache/arrow/tree/main/go/arrow/math - there are bunch of .S ("asm" files) and I'm still not able to comprehend how these work exactly (I guess it'll take more reading) - it seems very peculiar.

The last time I've used inlined assembly was back in Turbo/Borland Pascal, then bit in Visual Studio (32-bit), until they got disabled. Then did very little gcc with their more strict specification (while the former you had to know how the ABI worked, the latter too - but it was specced out).

Anyway - I wasn't expecting to find this in "Go" :) But I guess you can always start with .go code then produce assembly (-S) then optimize it, or find/hire someone to do it.

One is related to the heritage of being built around the NumPy library, which is great for processing numerical data, but becomes an issue as soon as the data is anything else. Pandas 2.0 has started to bring in Arrow, but it's not yet the standard (you have to opt-in and according to the developers it's going to stay that way for the foreseeable future). Also, pandas's Arrow-based features are not yet entirely on par with its NumPy-based features. Polars was built around Arrow from the get go. This makes it very powerful when it comes to exchanging data with other languages and reducing the number of in-memory copying operations, thus leading to better performance.

IMO a good first step would be to use the txr FFI to write a library for Apache arrow: https://arrow.apache.org/

https://www.reddit.com/r/O3DE/comments/rdvxhx/why_python/ :

> Python is used for scripting the editor only, not in-game behaviors.

> For implementing entity behaviors the only out of box ways are C++, ScriptCanvas (visual scripting) or Lua. Python is currently not available for implementing game logic.

C++, Lua, and Python all implement CFFI (C Foreign Function Interface) for remote function and method calls.

"Using CFFI for embedding" https://cffi.readthedocs.io/en/latest/embedding.html :

> You can use CFFI to generate C code which exports the API of your choice to any C application that wants to link with this C code. This API, which you define yourself, ends up as the API of a .so/.dll/.dylib library—or you can statically link it within a larger application.

Apache Arrow already supports C, C++, Python, Rust, Go and has C GLib support Lua:

https://github.com/apache/arrow/tree/main/c_glib/example/lua :

> Arrow Lua example: All example codes use LGI to use Arrow GLib based bindings

pyarrow.from_numpy_dtype:

AWS Data Wrangler is a Python library that simplifies the process of interacting with various AWS services, built on top of some useful data tools and open-source projects such as Pandas, Apache Arrow and Boto3. It offers streamlined functions to connect to, retrieve, transform, and load data from AWS services, with a strong focus on Amazon S3.

Worker should really adopt Apache Arrow, which has a much bigger ecosystem.

https://github.com/apache/arrow

Apache Arrow

I am aware of the fact that there are other posts about this issue but none of the ideas to solve it worked for me or sometimes none were found. The issue was discussed in the wheel git hub last December and seems to be solved but then it seems like I'm installing the wrong version? I simply used pip3 install pyarrow, is that wrong?