What you are using, a search transform
, is meant to run against the index.
You will need to use a script transform instead and do some programing in painless script to process the payload with the additional regex.
If the regex is only used to check matches (so can evaluate to true or false) and fire an action, then a script condition with the painless script code could be set inside the action.
By the way, if this question is an additional explanation for your other topic Xpack Watcher -- Credit card in logs , both of them should be merged to avoid having partial context spread in different threads for the same problem.