As you can see below, 95% of our sessions are less than five minutes in length. This is very useful in sizing the session timeout variable in your context.xml file.
host=cmhlpecomweb* sourcetype=access* | rex mode=sed field=_raw "s/\t/~/g" | eval tmp=split(_raw,"~") | eval jsessionid = mvindex(tmp,14) | transaction jsessionid | stats sum(duration) AS session_time by jsessionid | where session_time > 10 | bucket session_time span=300 | stats count by session_time | sort by session_time
Keep in mind the larger the time window under scrutiny, the more likely you are to eliminate statistical outliers.