This is working man yes. I need to still understand what is being done here and why the simple query is not. what is gentimes . why a subquery required

The gentimes is just a command to generate a row without hitting any index. You can use "| gentimes start=-1" OR "| stats count" to generate single row which will be used to define filters via subsearch.

For writing optimum searches, all the filters should be moved to the right (as close to base search) if possible. The simple query you wrote is doing lot of eval calculations for all the rows and then applying filter, whereas the subsearch will just get evaluation once (before the base search) and its return values (which will be "date_mday=value") is replaced in base search, providing optimum filtering.

In your search, I believe you're missing the conversion of "day" to number, (date_mday is number), as day is output of strftime command which will be string.

Nope its not working . Do you know why. I need this for some other requirement.

index=xyz event="NEAT-IN" platform=apns |eval epochT=relative_time(now(), "-3d@d") | eval day=tonumber(strftime(epochT,"%d")) |eval nDay=tonumber(date_mday)| fields nDay,day,*|search nDay=day

I have already a field called date_mday . I just need to match it. Here is my problem.

Following is my data

 12/13/14 10:23:17.489 AM <167>1 2014-12-12T21:53:17.489-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="70840" sysUpTime="1093867625"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418446397487","platform":"apns","alertId":"142900204","appId":"appId","args":{},"deviceToken":"devToen","alert":"Message"}

As you can see I can't rely on _time as this is different and hence my dashboard queries with earliest=-1d@d is wrong. I instead want _time to be the time stamp after '<167> 1'. How do I do that. So my solution was to use the parsed fields date_mday which actually represents this second timestamp and match with current time and then use this inside dashboard query.