Windows agent is going to send the file to FortiSIEM, line by line. One line is 1 log. You need to write a parser using the keyword (that you define in User log configuration from gui) as the event recognizer. Within the parser you can define event type based on parsed values. Then you can query using that event type and parsed values.
hope this explains.