Your problem is that the sshd returned from your subsearch appears to be matching the sshd in the name of the process, not the user name.
To fix this, you need to rex your event into fields, assign the username to a field name, and then at the end of your subsearch, assign the result to that field name rather than query . That ought to get you what you want.
... View more