[Entity Store] Add matched entity limit to resolution CSV upload#260475
Merged
[Entity Store] Add matched entity limit to resolution CSV upload#260475
Conversation
Add a 1000 entity match limit per CSV row in the entity resolution upload to prevent memory issues from overly broad identity field matches. Aligns with the similar breaker in asset criticality CSV upload. Rows exceeding the limit return an actionable error message. Relates: #260006
Contributor
|
Caution Review failedAn error occurred during the review process. Please try again later. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
8 tasks
Contributor
💔 Build Failed
Failed CI Steps
Test Failures
Metrics [docs]
History |
Change >= to > so exactly 1000 matches is allowed. The limit now triggers at 1001+, consistent with the error message "Matched more than 1000 entities."
Contributor
|
Pinging @elastic/contextual-security-apps (Team:Cloud Security) |
Contributor
ApprovabilityVerdict: Needs human review This PR adds a simple defensive limit check for entity resolution CSV uploads, which is low-risk and straightforward. However, the author does not own these files—they belong to @elastic/security-entity-analytics—so the designated code owners should review and approve the changes. You can customize Macroscope's approvability policy. Learn more. |
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…stic#260475) ## Summary Adds a 1,000 entity match limit per CSV row in the entity resolution CSV upload to prevent memory issues from overly broad identity field matches. - Adds `MAX_MATCHED_ENTITIES = 1000` breaker in the pagination loop of `findMatchingEntities` - Rows exceeding the limit return an actionable error: *"Matched more than 1000 entities. Narrow your identifying fields to be more specific."* - Aligns behavior with the similar breaker in asset criticality CSV upload Addresses: elastic#260006 (comment) ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Low risk — adds a safety breaker to an existing pagination loop. No behavioral change for rows matching fewer than 1,000 entities.
eokoneyo
pushed a commit
to davismcphee/kibana
that referenced
this pull request
Apr 2, 2026
…stic#260475) ## Summary Adds a 1,000 entity match limit per CSV row in the entity resolution CSV upload to prevent memory issues from overly broad identity field matches. - Adds `MAX_MATCHED_ENTITIES = 1000` breaker in the pagination loop of `findMatchingEntities` - Rows exceeding the limit return an actionable error: *"Matched more than 1000 entities. Narrow your identifying fields to be more specific."* - Aligns behavior with the similar breaker in asset criticality CSV upload Addresses: elastic#260006 (comment) ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Low risk — adds a safety breaker to an existing pagination loop. No behavioral change for rows matching fewer than 1,000 entities.
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…stic#260475) ## Summary Adds a 1,000 entity match limit per CSV row in the entity resolution CSV upload to prevent memory issues from overly broad identity field matches. - Adds `MAX_MATCHED_ENTITIES = 1000` breaker in the pagination loop of `findMatchingEntities` - Rows exceeding the limit return an actionable error: *"Matched more than 1000 entities. Narrow your identifying fields to be more specific."* - Aligns behavior with the similar breaker in asset criticality CSV upload Addresses: elastic#260006 (comment) ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Low risk — adds a safety breaker to an existing pagination loop. No behavioral change for rows matching fewer than 1,000 entities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a 1,000 entity match limit per CSV row in the entity resolution CSV upload to prevent memory issues from overly broad identity field matches.
MAX_MATCHED_ENTITIES = 1000breaker in the pagination loop offindMatchingEntitiesAddresses: #260006 (comment)
Checklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Low risk — adds a safety breaker to an existing pagination loop. No behavioral change for rows matching fewer than 1,000 entities.