EQL: Optimization for string with single wildcard

[rw-access]

I saw a few queries flying around with field == "*" syntax. In general, I think we should direct users to direct == null or != null checking, but sometimes we see usage patterns from KQL seep in.

Under the hood field == "*" gets converted to wildcard(field, "*"), which eventually turns into an AST for "like": Like(Source(), Field("field"), "%").

I think somewhere in the optimizer to we should convert this to IsNotNull which should be more performant.

[elasticmachine]

Pinging @elastic/es-ql (:Query Languages/EQL)

[jimczi]

We have some optimizations internally when parsing a search request that rewrites a query like field:* into an exists query for the field. However we don't apply this optimization to wildcard and prefix queries, only in query_string.
So I don't know what is the step to move from wildcard(field, "*") to Like(Source(), Field("field"), "%") but for the search layer, we should be able to optimize the first case, wildcard(field, "*").