The 15th field of our Apache log is the application server session ID. We truncate the _time field to minute, and get a distinct count of sessions in each minute. The number is 14 below because the source array is zero based.
host=strlpecomweb* sourcetype=access_combined | eval temp=split(_raw,\"\t\") | eval sess=mvindex(temp,14) | bucket span=1m _time | stats dc(sess) as sesscount by _time