use strict;
use warnings;
use Data::Dumper;

my %users;
my %searches;


while (<DATA>) { # I use DATA handle instead of $fh for convenience
		if( /BIND/ ) {
				my( $conn, $uid ) = /conn=(\d+).*uid=(.*?),/;
				push @{$users{$uid}}, $conn;
		}
		if( /SRCH=Q/ ) {
				my ($timestamp, $conn) = /\[(.*?)\] conn=(\d+)/;
				push @{$searches{$conn}}, $timestamp;
		}
}


for my $user (keys %users) {
		for my $conn (@{$users{$user}}) {
				print "User $user had ".scalar( @{$searches{$conn}} )." searches on connection $conn\n";
				print "\t=> Bad user!\n" if  @{$searches{$conn}} > 3;
		}
}

print Dumper \%users;
print Dumper \%searches;