search_events: Aggregation queries missing has: filter for grouped fields

[dcramer]

Problem

When generating aggregation queries that group by a field (e.g., count() by mcp.tool.name), the tool doesn't automatically add a has: filter to ensure only events containing that field are included.

Example

Query: "give me a table of tool call names with their count from the last 24 hours"

Current behavior generates:

count() by mcp.tool.name

Should generate:

has:mcp.tool.name count() by mcp.tool.name

Impact

Without the has: filter, aggregation results include events that don't have the grouped field, leading to incorrect or empty results.

Fix

When generating aggregation queries with group by, automatically prepend the appropriate has: filter for each grouped field.