[9.3] Privmon User Count - use grouping with count in place of count distinct for > 4000 users limitation (#249775)#249927
Merged
kibanamachine merged 1 commit intoelastic:9.3from Jan 21, 2026
Conversation
…ct for > 4000 users limitation (elastic#249775) ### Summary This PR fixes the eggbox on privileged monitoring not showing > 4000 user count accurately due to [limitation with ESQL's count distinct](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/aggregation-functions#esql-agg-count-distinct-approximate) The main change here is ~~using lensAttributes instead to use a DSL query instead~~. [**EDIT**] Changing the ESQL query to use double STATS. ``` FROM ${getPrivilegedMonitorUsersIndex(namespace)} | WHERE user.is_privileged == true | STATS BY user.name | STATS count = COUNT(*) ``` Works well for 1k, 4k, and 10k user counts. <img width="1655" height="464" alt="Screenshot 2026-01-21 at 3 26 37 PM" src="https://github.com/user-attachments/assets/4dbae045-e1fd-40d0-aca2-8918181bed43" /> <img width="819" height="339" alt="Screenshot 2026-01-21 at 3 14 52 PM" src="https://github.com/user-attachments/assets/28bc8ace-897c-4712-aed1-28a03c0243be" /> <img width="1659" height="353" alt="Screenshot 2026-01-21 at 2 56 33 PM" src="https://github.com/user-attachments/assets/c1435265-e2d7-4dda-bbaf-9c91b12b49b8" /> **To test:** 1. Navigate to kibana (loaded up etc) 2. Upload > 1000 users, previously tested with 1008 users. 3. Should see on eggbox, privileged user count is accurate and matching with dev tools result below: 4. dev tools command: ``` GET .entity_analytics.monitoring.users-*/_search { "size": 0, "aggs": { "by_priv": { "terms": { "field": "user.is_privileged" } } } } ``` 5. Edit your csv, remove some of these users and re-upload. 6. Ensure the count is accurate to the new number of csv uploaded users and the omitted users show privileged false in dev tools. If someone wants to use a scripted way to generate csv users, may use the below cli command ``` for i in {1..10000}; do echo "bulk_user_$i" >> privileged_users.csv; done && wc -l privileged_users.csv ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: abhishekbhatia1710 <abhishek.bhatia@elastic.co> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com> (cherry picked from commit 56b7cdf)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
cc @CAWilson94 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto9.3:Questions ?
Please refer to the Backport tool documentation