So this really depends on how your splunk instance has been built out. Ideally you have your data separated into proper indexes/sources/sourcetypes. Then those source types have the proper field extractions so you can search on the data. I will demonstrate the possible step below for if your instance is built out properly:
The first thing you need to figure out is which index is this data in? a quick way to test your available indexes is to set your time window to 15mins -60mins depending on your volume. then do a index =* (don't do this all the time or your splunk admins will be angry).
Once your search returns parse through the values returned in the interesting fields section, specifically Index, Source, Sourcetype. I imagine your source would be the host name of your firewall. Select that host and then in your time range select the window you are interested in. Hopefully at this point you have some data returning. Then in your interesting fields there might be a value for the user you are looking for, again this depends on your field extractions.