So at which part of implementing that logic do you get stuck?

EDIT:

In case you don't know where to even begin, here's one possible recipe for implementing this task:

1. Define two hashes: %users and %searches
2. Process the logfile line by line. For each line, use a regex to see if it matches the BIND or RESULT form, and extract the relevant fields ($conn, $uid, etc.) if it does. Also:
   1. If it is a BIND line:
      1. Add an entry to the %users hash, with $conn as the key and $uid as the value.
   2. If it is a RESULT line:
      1. Add relevant information (about the timestamp of the search) to the value of the %searches entry that belongs to the key $conn.
      2. Check the accumulated information in said hash value, for whether the condition of "three occurrences within an hour" has been met. If so, use the %users hash to look up the UID that belongs to the $conn in question and run the `add group` command for it.
      3. Remove information from said hash value that is no longer required.

Of course, what exactly "add/check/remove relevant information" means in 2.b.i. - 2.b.iii., depends on the exact requirements of what "three occurrences within an hour" should mean. See hdb's answer for details.

Also, this recipe assumes that the BIND line always comes before the corresponding RESULT lines, and that a little extra memory overhead is acceptable in order optimize speed. If either of these requirements is not given, a better way to do it might be to do a first parsing run through the logfile for the RESULT lines only, and then a second one for only those BIND lines that are actually needed.

For general help on how to parse a file and use regexes, see the links in Anonymous Monk's answer.