bk-cs
commented
1 year ago The offset parameter of Get-FalconHost expects a dynamically generated pagination token that is returned with your initial request, however, PSFalcon is designed for you to ignore the offset, after and next_token parameters, and those values are generally hidden from the user. The -All switch does all the pagination work.
When using -Include network_history, the module will pass groups of host identifiers back to Get-FalconHost to retrieve the network_history content, and then output everything as a final result. This is how it should look to retrieve network_history for all hosts:
Get-FalconHost -Include network_history -AllNOTE: If you want more than just device_id and network_history, include the -Detailed switch.
And here's what PSFalcon does behind-the-scenes:
500 ids
- 1 request for 500 ids
- With
-Detailedadded: 1 request for 500 details - 5 requests for 100 network_history
5000 ids
- 1 request for 5,000 ids
- With
-Detailedadded: 1 request for 5,000 details - 500 requests for 100 network_history
As you can see, there's a drastic increase in the number of requests that are required to get this data. I would expect an increase in time, but not a jump from 4 seconds to 4 minutes. Does your PowerShell environment have sufficient resources? Using PowerShell Core (i.e. version 7 or above) is typically much faster than PowerShell Desktop.
Here are time results from my test environment that has a total of 1,716 hosts
500 hosts, using PowerShell 5.1:
PS C:\> Measure-Command { Get-FalconHost -Include network_history -Limit 500 }
Days : 0
Hours : 0
Minutes : 0
Seconds : 3
Milliseconds : 956
Ticks : 39563187
TotalDays : 4.57907256944444E-05
TotalHours : 0.00109897741666667
TotalMinutes : 0.065938645
TotalSeconds : 3.9563187
TotalMilliseconds : 3956.3187All hosts, using PowerShell 5.1:
PS C:\> Measure-Command { Get-FalconHost -Include network_history -All }
Days : 0
Hours : 0
Minutes : 0
Seconds : 29
Milliseconds : 838
Ticks : 298385697
TotalDays : 0.000345353815972222
TotalHours : 0.00828849158333333
TotalMinutes : 0.497309495
TotalSeconds : 29.8385697
TotalMilliseconds : 29838.5697500 hosts, using PowerShell 7.3.6:
PS C:\> Measure-Command { Get-FalconHost -include network_history -Limit 500 }
Days : 0
Hours : 0
Minutes : 0
Seconds : 5
Milliseconds : 758
Ticks : 57581149
TotalDays : 6.66448483796296E-05
TotalHours : 0.00159947636111111
TotalMinutes : 0.0959685816666667
TotalSeconds : 5.7581149
TotalMilliseconds : 5758.1149All hosts, using PowerShell 7.3.6:
PS C:\> Measure-Command { Get-FalconHost -include network_history -All }
Days : 0
Hours : 0
Minutes : 0
Seconds : 18
Milliseconds : 834
Ticks : 188345867
TotalDays : 0.00021799290162037
TotalHours : 0.00523182963888889
TotalMinutes : 0.313909778333333
TotalSeconds : 18.8345867
TotalMilliseconds : 18834.5867
I am trying to use the Offset Switch with Get-FalconHost, but seem to be unable to figure out what goes there and can't find any kind of examples or samples including the use of this switch. I see in the Get-FalconHost wiki that this parameter is supposed to be a string, where most other commands an int32 is used.
When trying to use a number as an offset, I receive the following error.
Write-Result: C:\Users******\Documents\PowerShell\Modules\PSFalcon\2.2.5\private\Private.ps1:624 Line | 624 | $Output = Write-Result $Object |
~~~~| [{"code":400,"message":"Bad request"}]I am attempting to use -Include network_history, but I have noticed that as the number of hosts increases, the time to completion exponentially increases. Querying for the network_history for 500 hosts takes only 4 seconds to complete, but 5000 hosts takes almost 4 minutes to complete.
PowerShell: v7.3.4 PSFalcon: v2.2.5