Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation#249775
Merged
CAWilson94 merged 12 commits intoelastic:mainfrom Jan 21, 2026
Merged
Conversation
…s accurately counted
Comment on lines
+14
to
+15
| | STATS BY user.name | ||
| | STATS count = COUNT(*)`; |
Contributor
There was a problem hiding this comment.
This query change made the count appear correct for the viz. I tested with 1k,4k and 10k users. Counts for all appeared correct on the viz
CAWilson94
changed the title
abhishekbhatia1710
added
release_note:skip
Contributor
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
jaredburgettelastic
added
backport:version
hop-dev
reviewed
Jan 21, 2026
hop-dev
approved these changes
Jan 21, 2026
Contributor
⏳ Build in-progress, with failures
Failed CI StepsHistory
|
Contributor
|
Starting backport for target branches: 9.3 https://github.com/elastic/kibana/actions/runs/21218678822 |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 21, 2026
…ct for > 4000 users limitation (elastic#249775) ### Summary This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to [limitation with ESQL's count distinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate) The main change here is ~~using lensAttributes instead to use a DSL query instead~~. [**EDIT**] Changing the ESQL query to use double STATS. ``` FROM ${getPrivilegedMonitorUsersIndex(namespace)} | WHERE user.is_privileged == true | STATS BY user.name | STATS count = COUNT(*) ``` Works well for 1k, 4k, and 10k user counts. <img width="1655" height="464" alt="Screenshot 2026-01-21 at 3 26 37 PM" src="https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43" /> <img width="819" height="339" alt="Screenshot 2026-01-21 at 3 14 52 PM" src="https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be" /> <img width="1659" height="353" alt="Screenshot 2026-01-21 at 2 56 33 PM" src="https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8" /> **To test:** 1. Navigate to kibana (loaded up etc) 2. Upload > 1000 users, previously tested with 1008 users. 3. Should see on eggbox, privileged user count is accurate and matching with dev tools result below: 4. dev tools command: ``` GET .entity_analytics.monitoring.users-*/_search { "size": 0, "aggs": { "by_priv": { "terms": { "field": "user.is_privileged" } } } } ``` 5. Edit your csv, remove some of these users and re-upload. 6. Ensure the count is accurate to the new number of csv uploaded users and the omitted users show privileged false in dev tools. If someone wants to use a scripted way to generate csv users, may use the below cli command ``` for i in {1..10000}; do echo "bulk_user_$i" >> privileged_users.csv; done && wc -l privileged_users.csv ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com> (cherry picked from commit 56b7cdf)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 21, 2026
…distinct for > 4000 users limitation (#249775) (#249927) # Backport This will backport the following commits from `main` to `9.3`: - [Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation (#249775)](#249775) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Charlotte Alexandra Wilson","email":"CAWilson94@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-01-21T17:08:58Z","message":"Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation (#249775)\n\n### Summary\nThis PR fixes the eggbox on privileged monitoring not showing > 4000\nuser count accurately due to [limitation with ESQL's count\ndistinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate)\n\nThe main change here is ~~using lensAttributes instead to use a DSL\nquery instead~~.\n[**EDIT**] Changing the ESQL query to use double STATS.\n\n```\nFROM ${getPrivilegedMonitorUsersIndex(namespace)}\n | WHERE user.is_privileged == true\n | STATS BY user.name\n | STATS count = COUNT(*)\n``` \n\nWorks well for 1k, 4k, and 10k user counts.\n\n<img width=\"1655\" height=\"464\" alt=\"Screenshot 2026-01-21 at 3 26 37 PM\"\nsrc=\"https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43\"\n/>\n<img width=\"819\" height=\"339\" alt=\"Screenshot 2026-01-21 at 3 14 52 PM\"\nsrc=\"https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be\"\n/>\n<img width=\"1659\" height=\"353\" alt=\"Screenshot 2026-01-21 at 2 56 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8\"\n/>\n\n\n**To test:** \n1. Navigate to kibana (loaded up etc) \n2. Upload > 1000 users, previously tested with 1008 users. \n3. Should see on eggbox, privileged user count is accurate and matching\nwith dev tools result below:\n4. dev tools command: \n```\nGET .entity_analytics.monitoring.users-*/_search\n{\n \"size\": 0,\n \"aggs\": {\n \"by_priv\": {\n \"terms\": {\n \"field\": \"user.is_privileged\"\n }\n }\n }\n}\n```\n5. Edit your csv, remove some of these users and re-upload. \n6. Ensure the count is accurate to the new number of csv uploaded users\nand the omitted users show privileged false in dev tools.\n\n\nIf someone wants to use a scripted way to generate csv users, may use\nthe below cli command\n\n```\nfor i in {1..10000}; do echo \"bulk_user_$i\" >> privileged_users.csv; done && wc -l privileged_users.csv\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co>\nCo-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>","sha":"56b7cdf494113578216a394be6bc68cb1e9b2214","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.3.0","v9.4.0"],"title":"Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation","number":249775,"url":"https://github.com/elastic/kibana/pull/249775","mergeCommit":{"message":"Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation (#249775)\n\n### Summary\nThis PR fixes the eggbox on privileged monitoring not showing > 4000\nuser count accurately due to [limitation with ESQL's count\ndistinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate)\n\nThe main change here is ~~using lensAttributes instead to use a DSL\nquery instead~~.\n[**EDIT**] Changing the ESQL query to use double STATS.\n\n```\nFROM ${getPrivilegedMonitorUsersIndex(namespace)}\n | WHERE user.is_privileged == true\n | STATS BY user.name\n | STATS count = COUNT(*)\n``` \n\nWorks well for 1k, 4k, and 10k user counts.\n\n<img width=\"1655\" height=\"464\" alt=\"Screenshot 2026-01-21 at 3 26 37 PM\"\nsrc=\"https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43\"\n/>\n<img width=\"819\" height=\"339\" alt=\"Screenshot 2026-01-21 at 3 14 52 PM\"\nsrc=\"https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be\"\n/>\n<img width=\"1659\" height=\"353\" alt=\"Screenshot 2026-01-21 at 2 56 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8\"\n/>\n\n\n**To test:** \n1. Navigate to kibana (loaded up etc) \n2. Upload > 1000 users, previously tested with 1008 users. \n3. Should see on eggbox, privileged user count is accurate and matching\nwith dev tools result below:\n4. dev tools command: \n```\nGET .entity_analytics.monitoring.users-*/_search\n{\n \"size\": 0,\n \"aggs\": {\n \"by_priv\": {\n \"terms\": {\n \"field\": \"user.is_privileged\"\n }\n }\n }\n}\n```\n5. Edit your csv, remove some of these users and re-upload. \n6. Ensure the count is accurate to the new number of csv uploaded users\nand the omitted users show privileged false in dev tools.\n\n\nIf someone wants to use a scripted way to generate csv users, may use\nthe below cli command\n\n```\nfor i in {1..10000}; do echo \"bulk_user_$i\" >> privileged_users.csv; done && wc -l privileged_users.csv\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co>\nCo-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>","sha":"56b7cdf494113578216a394be6bc68cb1e9b2214"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/249775","number":249775,"mergeCommit":{"message":"Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation (#249775)\n\n### Summary\nThis PR fixes the eggbox on privileged monitoring not showing > 4000\nuser count accurately due to [limitation with ESQL's count\ndistinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate)\n\nThe main change here is ~~using lensAttributes instead to use a DSL\nquery instead~~.\n[**EDIT**] Changing the ESQL query to use double STATS.\n\n```\nFROM ${getPrivilegedMonitorUsersIndex(namespace)}\n | WHERE user.is_privileged == true\n | STATS BY user.name\n | STATS count = COUNT(*)\n``` \n\nWorks well for 1k, 4k, and 10k user counts.\n\n<img width=\"1655\" height=\"464\" alt=\"Screenshot 2026-01-21 at 3 26 37 PM\"\nsrc=\"https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43\"\n/>\n<img width=\"819\" height=\"339\" alt=\"Screenshot 2026-01-21 at 3 14 52 PM\"\nsrc=\"https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be\"\n/>\n<img width=\"1659\" height=\"353\" alt=\"Screenshot 2026-01-21 at 2 56 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8\"\n/>\n\n\n**To test:** \n1. Navigate to kibana (loaded up etc) \n2. Upload > 1000 users, previously tested with 1008 users. \n3. Should see on eggbox, privileged user count is accurate and matching\nwith dev tools result below:\n4. dev tools command: \n```\nGET .entity_analytics.monitoring.users-*/_search\n{\n \"size\": 0,\n \"aggs\": {\n \"by_priv\": {\n \"terms\": {\n \"field\": \"user.is_privileged\"\n }\n }\n }\n}\n```\n5. Edit your csv, remove some of these users and re-upload. \n6. Ensure the count is accurate to the new number of csv uploaded users\nand the omitted users show privileged false in dev tools.\n\n\nIf someone wants to use a scripted way to generate csv users, may use\nthe below cli command\n\n```\nfor i in {1..10000}; do echo \"bulk_user_$i\" >> privileged_users.csv; done && wc -l privileged_users.csv\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co>\nCo-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>","sha":"56b7cdf494113578216a394be6bc68cb1e9b2214"}}]}] BACKPORT--> Co-authored-by: Charlotte Alexandra Wilson <CAWilson94@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>
This was referenced Jan 22, 2026
yuliia-fryshko
pushed a commit
to yuliia-fryshko/kibana
that referenced
this pull request
Jan 22, 2026
…ct for > 4000 users limitation (elastic#249775) ### Summary This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to [limitation with ESQL's count distinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate) The main change here is ~~using lensAttributes instead to use a DSL query instead~~. [**EDIT**] Changing the ESQL query to use double STATS. ``` FROM ${getPrivilegedMonitorUsersIndex(namespace)} | WHERE user.is_privileged == true | STATS BY user.name | STATS count = COUNT(*) ``` Works well for 1k, 4k, and 10k user counts. <img width="1655" height="464" alt="Screenshot 2026-01-21 at 3 26 37 PM" src="https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43" /> <img width="819" height="339" alt="Screenshot 2026-01-21 at 3 14 52 PM" src="https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be" /> <img width="1659" height="353" alt="Screenshot 2026-01-21 at 2 56 33 PM" src="https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8" /> **To test:** 1. Navigate to kibana (loaded up etc) 2. Upload > 1000 users, previously tested with 1008 users. 3. Should see on eggbox, privileged user count is accurate and matching with dev tools result below: 4. dev tools command: ``` GET .entity_analytics.monitoring.users-*/_search { "size": 0, "aggs": { "by_priv": { "terms": { "field": "user.is_privileged" } } } } ``` 5. Edit your csv, remove some of these users and re-upload. 6. Ensure the count is accurate to the new number of csv uploaded users and the omitted users show privileged false in dev tools. If someone wants to use a scripted way to generate csv users, may use the below cli command ``` for i in {1..10000}; do echo "bulk_user_$i" >> privileged_users.csv; done && wc -l privileged_users.csv ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jan 22, 2026
…ct for > 4000 users limitation (elastic#249775) ### Summary This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to [limitation with ESQL's count distinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate) The main change here is ~~using lensAttributes instead to use a DSL query instead~~. [**EDIT**] Changing the ESQL query to use double STATS. ``` FROM ${getPrivilegedMonitorUsersIndex(namespace)} | WHERE user.is_privileged == true | STATS BY user.name | STATS count = COUNT(*) ``` Works well for 1k, 4k, and 10k user counts. <img width="1655" height="464" alt="Screenshot 2026-01-21 at 3 26 37 PM" src="https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43" /> <img width="819" height="339" alt="Screenshot 2026-01-21 at 3 14 52 PM" src="https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be" /> <img width="1659" height="353" alt="Screenshot 2026-01-21 at 2 56 33 PM" src="https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8" /> **To test:** 1. Navigate to kibana (loaded up etc) 2. Upload > 1000 users, previously tested with 1008 users. 3. Should see on eggbox, privileged user count is accurate and matching with dev tools result below: 4. dev tools command: ``` GET .entity_analytics.monitoring.users-*/_search { "size": 0, "aggs": { "by_priv": { "terms": { "field": "user.is_privileged" } } } } ``` 5. Edit your csv, remove some of these users and re-upload. 6. Ensure the count is accurate to the new number of csv uploaded users and the omitted users show privileged false in dev tools. If someone wants to use a scripted way to generate csv users, may use the below cli command ``` for i in {1..10000}; do echo "bulk_user_$i" >> privileged_users.csv; done && wc -l privileged_users.csv ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Jan 22, 2026
…ct for > 4000 users limitation (elastic#249775) ### Summary This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to [limitation with ESQL's count distinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate) The main change here is ~~using lensAttributes instead to use a DSL query instead~~. [**EDIT**] Changing the ESQL query to use double STATS. ``` FROM ${getPrivilegedMonitorUsersIndex(namespace)} | WHERE user.is_privileged == true | STATS BY user.name | STATS count = COUNT(*) ``` Works well for 1k, 4k, and 10k user counts. <img width="1655" height="464" alt="Screenshot 2026-01-21 at 3 26 37 PM" src="https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43" /> <img width="819" height="339" alt="Screenshot 2026-01-21 at 3 14 52 PM" src="https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be" /> <img width="1659" height="353" alt="Screenshot 2026-01-21 at 2 56 33 PM" src="https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8" /> **To test:** 1. Navigate to kibana (loaded up etc) 2. Upload > 1000 users, previously tested with 1008 users. 3. Should see on eggbox, privileged user count is accurate and matching with dev tools result below: 4. dev tools command: ``` GET .entity_analytics.monitoring.users-*/_search { "size": 0, "aggs": { "by_priv": { "terms": { "field": "user.is_privileged" } } } } ``` 5. Edit your csv, remove some of these users and re-upload. 6. Ensure the count is accurate to the new number of csv uploaded users and the omitted users show privileged false in dev tools. If someone wants to use a scripted way to generate csv users, may use the below cli command ``` for i in {1..10000}; do echo "bulk_user_$i" >> privileged_users.csv; done && wc -l privileged_users.csv ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to limitation with ESQL's count distinct
The main change here is
using lensAttributes instead to use a DSL query instead.[EDIT] Changing the ESQL query to use double STATS.
Works well for 1k, 4k, and 10k user counts.
To test:
If someone wants to use a scripted way to generate csv users, may use the below cli command