When you use the Search NetFlow Endpoint resource and chosse an IP to search this table is used. It can become a rather large table and we are looking at how to lessen it's impact.
Hi, is it safe to truncate this table? Actually is the 2nd most large table in our DB (3.7 GB !)
This table can safely be truncated, but then you'll only be able to search for IP addresses who are involved in traffic after that point in time. What I mean, by that is a search in the "Search NetFlow Endpoint " resource, won't come up with results until the NTA collector receives new traffic for that particular endpoint(s).
So, in essense once you truncate that table, it will start rebuilding itself.
Further in NTA 3.1 SP2 (which is almost released), if you don't care at all about searching in the "Search NetFlow Endpoint" resource, you can turn off this function in the NTA service, so that it doesn't populate the table anymore. To do so, you'll first make a copy of the NetFlowService.exe.config file in your NTA install directory, then open it. Look for the following line in the file:
<detailsCache secondsToExpire="60" maxSize="50000" searchByCacheInitialSize="5000" flowCacheInitialSize="5000" disableSearchByAddress="0"/>
Set disableSearchByAddress to 1. You'll need to restart the NTA service for this to take effect.