Part of #51556
https://eql.readthedocs.io/en/latest/query-guide/functions.html#wildcard
Specifically, we should catch wildcard(field, "wildcard1", "wildcard2", "wildcard3", ...) and convert to Like as an optimizer rule.
Function behavior
Validation requirements:
- All wildcard parameters must be constant/foldable strings in the query
- There must be at least one wildcard string
- The first parameter must be a string but may or not be foldable.
null behavior:
- wildcard(missing/null, ...) ==> null
- wildcard(string, ...) => true or false
- wildcard(non-null, non-string) => null (if necessary)
- this shouldn't be possible when compiling to match and using an indexed field. but can we query non-indexed fields? would a document ever have a non-string value?
Part of #51556
https://eql.readthedocs.io/en/latest/query-guide/functions.html#wildcard
Specifically, we should catch
wildcard(field, "wildcard1", "wildcard2", "wildcard3", ...)and convert to Like as an optimizer rule.Function behavior
Validation requirements:
null behavior: