how to query PSfalcon to avoid returning duplicate hosts #78
-
|
May ask if there is some specific PSfalcon command to returning hostname/IDs based on latest 'last_seen' date? Though it can be scripted, was looking for best approach thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Are you trying to remove duplicates, or return results that don't have duplicates (by hostname)? The problem you're facing is that Falcon thinks these are unique--because devices are linked to their agent ID value--and there's no filter that can exclude them as it would require some evaluation logic by the API (which it doesn't do). So, with that in mind, you can either use Or retrieve all results and filter them based on unique Hostname values: Since I just freehanded that second example, check it and make sure it's giving the right results in your environment. :) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @bk-cs. Great tip! I was having similar issues. One correction, your Get-FalconHost cmd contains a double pipe. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks all.
Em qui., 16 de set. de 2021 às 18:13, bk-cs ***@***.***>
escreveu:
… Are you trying to remove duplicates, or return results that don't have
duplicates (by hostname)?
The problem you're facing is that Falcon thinks these are unique--because
devices are linked to their agent ID value--and there's no filter that can
exclude them as it would require some evaluation logic by the API (which it
doesn't do).
So, with that in mind, you can either use Find-FalconDuplicate and
Invoke-FalconHostAction to remove the duplicates so they're not in your
results:
$Duplicates = Find-FalconDuplicate
Invoke-FalconHostAction -Name hide_host -Ids $Duplicates.device_id
Or retrieve all results and filter them based on unique Hostname values:
$NoDupes = Get-FalconHost -Detailed -All | Sort-Object last_seen | Where-Object hostname | Group-Object hostname | ForEach-Object { $_.group | | Select-Object -First 1 }
Since I just freehanded that second example, check it and make sure it's
giving the right results in your environment. :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#78 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVRZU4J3LGON46ULI73BSUTUCJMWJANCNFSM5DXVBMZA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
Are you trying to remove duplicates, or return results that don't have duplicates (by hostname)?
The problem you're facing is that Falcon thinks these are unique--because devices are linked to their agent ID value--and there's no filter that can exclude them as it would require some evaluation logic by the API (which it doesn't do).
So, with that in mind, you can either use
Find-FalconDuplicateandInvoke-FalconHostActionto remove the duplicates so they're not in your results:Or retrieve all results and filter them based on unique Hostname values: