Most RSA connection failures have the words "connection failure" in them, although the capitalization and the surrounding words change based on the type of failure. Start with...
index=myindex sourcetype=mysourcetype "connection" "failed" "someuserid" | head 1
...and then use the specific wording of the record you find to craft a more careful way of extracting them. Check whether the userid appears in a specific extracted field or not, and so on. Once you have that information, then you can make a better query than that one.
If you don't know the sourcetype or index they are in, then use * and keep narrowing it down until you figure it out.