This one tripped me up. The rex command is not a filter, it merely extracts the value where it exists. As such, you can’t simply say…
rex field "(?mysearch)" | timechart span=1d count as total
…as this will result in all samples passing and your count being much larger than may be expected. To use the rex construct, you must sandwich a where myField != "" between the rex and timechart commands. For example…
host=myhost* sourcetype=*server* | rex field=_raw "(?Microcontainer.*Started in)" | where restart != "" | timechart span=1d count as restarts_by_day