Thanks for your quick reply!

index=os sourcetype="netstat" host="hostname" 44221 | stats count just gives me the number of events that contain 44221, which is just the same as the time I'm searching because it is indexed once per minute.

index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?\d+)" | stats count by port seems to only pull out the first port that is listed by the netstat in each event (which happens to be 32000 for me) and count those, which again is just the same as the time period being searched. I think this is on the right track, but I need to to grab specifically the port 44221, and I also need it to count every occurrence of that in each event and display it as a running total.

If an event can have multiple occurrences, you can add a max_match=0 to the rex command that will capture all occurrences. Then you could use mvcount() or other multi-value functions to manipulate that field. Something like this

index=os sourcetype="netstat" host="hostname" 44221 | rex max_match=0 ":(?<port>\d+)" | eval c=mvcount(port)  

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/rex

http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields

Thanks, this did it for me! to add for anyone who finds this in the future, my final search was

index=os sourcetype="netstat" host="hostname" | rex max_match=0 ":(?<port>4422\d|5432)" | eval c=mvcount(port) | stats c by port

I used ":(?4422\d|5432)" which matched only the ports I cared about, and the stats c by port gave me a pretty chart of the data.