ESQL: function/operator to check if any value of a multivalue field matches

[alex-spies]

Description

There are use cases where we want to check if a multvalued field e.g. contains a particular value. Currently, the == operator does not support this as a multivalue for either of the operands results in a null (mentioned in the docs, too).

One workaround is to use MV_EXPAND, but this changes the number of rows and loses information about which values were once part of the same multvalue. This was, for instance, not adequate for (this SIEM case).

What we probably need is something like an any_equals function (and all_equals, most likely) - or some sort of ANY/ALL modifiers, e.g. WHERE ANY mv_field == "single_value". (The exact semantics of ANY/ALL are unclear in case we compose multiple operators/functions, though.)

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)