Custom dataset : list of SSL events ("current_user" instead of "user")

Hello,

I'm using a FAZ VM64 that collec data from 5 FortiGate (F81E, F100D and F80E) and I'd like to create a custom dataset to receive daily a summary report of SSL events (connect/disconnect time, user, source @IP, DHCP IP attributed, ...)

When testing the SQL query in the "Edit Dataset", I got something strange (or I don't understand) :

Whis this query :

select  $flex_timestamp as timestamp, * from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null order by timestamp desc

I got a field "user" that fill my need (contain correct values). But if I change the query to reduce number of fields like this:

select  $flex_timestamp as timestamp, action, msg, logdesc, user, tunneltype, remip, tunnelip, duration,   sentbyte, rcvdbyte, reason from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not null order by timestamp desc

The field "user" is renamed in "current_user" and the content is always "postgres"

So when selecting fields, how to get "user" and correct values ?