Solved: Historical data for endpoint in hostgroup

Antonio Macia · ‎11-10-2025

Hi,

We are leveraging the API to perform bulk uploads of endpoints into hostgroups and we noticed that everytime we upload an existing IP in a hostgroup, the IP is removed and recreated again. If the IP does not change, is SNA deleting the historical data gathered for this IP that might then affect the behavioural alerts?

Thanks.

David Salter · ‎11-11-2025

Hi Antonio,

Re-reading your question, historic Interface and Host Group statistics (along with Alarms) are not affected when an IP is removed from a Host Group as those statistics are stored on the Manager. Flow Data is a different situation. The stitched and de-duplicated flow record is stored on the Data Store (or Flow Collector if Data Store is not installed). When an IP address is active it contributes statistics to which ever Host Groups include that IP. Remove that IP from any Host Group and any active flows are attributed to the Catch All Host Group if the IP is not a public registered address. If it is a public registered address, it remains as an Outside Host associated with the appropriate country.

Whether you have Data Store or not, Flow Storage is effectively written to a very large buffer, eventually older flows are over-written by new flows.

I hope this helps, if anything needs clarification, please let me know.

View solution in original post

David Salter · ‎11-10-2025

If an IP is removed, historic data for that IP will be deleted.
Are you using the Advanced Host Group Automation platform or are you using your own scripts? If you are using your own script by all means share it with me directly, I would be happy to comment further.

Antonio Macia · ‎11-11-2025

Hi @David Salter

Thanks for your intereset in our case. We currently use SNA APIs to programatically incorporate assets exported from our inventory tool. Below a snippet of the script.

Since we still seeing flows from IPs that no longer exists, we thought that the fact of just recreating the same IP would not affect the historic data. But according what you were saying I can understand that traffic flows are a sepparated concept from behavioural data and this is removed?

What we want is to have our hostgroups reflecting the actual inventory while not losing historical data. Is that possible?

def update_tag(self):

        tag_response = tag_response["data"]
        response,api_session = self.create_sna_session()
        _api_url = url_for_api('sna')+confpaths.sna_conf_api+"/"+str(self.arg_a)+"/tags/"+str(self.arg_b)

        tag_response['ranges']=self.arg_d

        _data = json.dumps(tag_response)


        request_headers = {'Content-type': 'application/json', 'Accept': 'application/json'}


        _response = api_session.request("PUT", _api_url, verify=False, data=_data, headers=request_headers)


        jdata = _response.json()

        return jdata

Regards,

Antonio.

David Salter · ‎11-11-2025

Hi Antonio,

Re-reading your question, historic Interface and Host Group statistics (along with Alarms) are not affected when an IP is removed from a Host Group as those statistics are stored on the Manager. Flow Data is a different situation. The stitched and de-duplicated flow record is stored on the Data Store (or Flow Collector if Data Store is not installed). When an IP address is active it contributes statistics to which ever Host Groups include that IP. Remove that IP from any Host Group and any active flows are attributed to the Catch All Host Group if the IP is not a public registered address. If it is a public registered address, it remains as an Outside Host associated with the appropriate country.

Whether you have Data Store or not, Flow Storage is effectively written to a very large buffer, eventually older flows are over-written by new flows.

I hope this helps, if anything needs clarification, please let me know.

Antonio Macia · ‎11-12-2025

Thanks David. Cristal clear now.