How to retrieve the User-Agent in a Postoverflow scenario?

Hello, I’m trying to set up a Postoverflow whitelist to whitelist an IP if it triggers an alert on a specific UA, but it doesn’t seem to be working. Do you have any idea why?

name: aukfood/whitelist_screaming_frog_ua
description: "Whitelist Screaming Frog SEO Spider UA from IP 192.192.192.192"
whitelist:
  reason: "Legitimate SEO crawler tool from IP 192.192.192.192 excluded from HTTP bad-user-agent detection"
  expression:
    - 'evt.Meta.source_ip == "192.192.192.192" &&
       evt.Meta.http_user_agent == "Screaming Frog SEO Spider/22.2"'

name: aukfood/whitelist_screaming_frog_ua
description: "Whitelist Screaming Frog SEO Spider UA from IP 192.192.192.192"
whitelist:
  reason: "Legitimate SEO crawler tool from IP 192.192.192.192 excluded from HTTP bad-user-agent detection"
  expression:
    - 'evt.Meta.source_ip == "192.192.192.192" &&
       evt.Meta.http_user_agent == "Screaming Frog SEO Spider/22.2"'

line: 192.192.192.192 - - [17/Oct/2025:09:52:41 +0200] "GET /robots.txt HTTP/1.1" 200 1020 "-" "Screaming Frog SEO Spider/22.2"
├ s00-raw
| ├

crowdsecurity/syslog-logs
| └

crowdsecurity/non-syslog (+5 ~8)
├ s01-parse
| └

crowdsecurity/apache2-logs (+21 ~2)
├ s02-enrich
| ├

crowdsecurity/dateparse-enrich (+2 ~2)
| ├

crowdsecurity/enrich-user-agent-year
| ├

crowdsecurity/geoip-enrich (+13)
| ├

crowdsecurity/http-logs (+7)
| ├

mywhitelists (unchanged)
| ├

crowdsecurity/nextcloud-whitelist (unchanged)
| ├

crowdsecurity/public-dns-allowlist (unchanged)
| └