Splunk search bunch of Strings and display table of _raw

Question

I want to search a set of strings using OR (any better way is appreciated). Is there a way to assign name to Strings.

index=blah host=123 "ERROR" ("FILE1" OR "FILE2" OR "FILE3" ) | rex field=_raw ".errorDesc\":\"(?.)\",\"errorCode.*" | table _time RESP_JSON

Now, I want to add Filename as another column in table. If File is not present show empty values for rest of columns

Note: fileName is not a field, its just a string in _raw field

Splunk ::

[12/12/2015:12:12:12.123] ERROR occured while processing FILE1. errorDesc":"{field:123,code:124}","errorCode
[12/12/2015:13:13:12.123] ERROR occured while processing FILE3. errorDesc":"{field:125,code:124}","errorCode

eg Output:

File -------------------_time ----------------------- RESP_JSON

FILE1 ----- 12/12/2015:12:12:12.123 ----- {field:123,code:124}

FILE2

FILE3 ----- 12/12/2015:13:13:12.123 ----- {field:125,code:124}

No log entry for File2 is present, so empty row with just file Name is displayed

Answer 1

Give this a shot:

index=blah host=123 "ERROR" ("FILE1" OR "FILE2" OR "FILE3" ) | rex "processing\s+(?<filename>[^\.]+)\.\s+" | table _time RESP_JSON filename

It's the same search as above, just a different regex extraction.

Answer 2

Have u tried below to extract the filename?

index=blah host=123 "ERROR" ("FILE1" OR "FILE2" OR "FILE3" ) | rex field=_raw "(?<filename>). errorDesc" | table _time RESP_JSON filename

Regarding the first question of naming search terms have you looked at macros or using subsearchs with lookups?