That sounds quite complex. I think the only option is to use Vega, unless someone has better idea?
I’d create two queries – one getting all the user names of all times and the other one only from the last month. Then I’d use a bucket_selector pipeline aggregation to filter out the values that are in two buckets. If you decide to follow this path, it’d be easier to firstly use dev tools to make sure the data you receive from Elasticsearch looks correct and then move to Vega to create visualization on top of this data. This is not trivial though so you might wanna reconsider ingesting your data in different format to make it easier if it’s possible. Plus if you have a lot of data, this approach is not performant.
Here's a similar example: Data set difference between fields on different indexes