use regex in xml xpath flex connector | help in xpath and xquery

I have an XML file for the SAG Alliance Gateway, and I'm using an XML flex connector to process it. The connector works, but I'm having trouble with a nested element in the XML. Specifically, I need to extract the value of "RequestRef" using XPath, but my current XPath expression also captures "SwiftRequestRef". Can anyone help me refine the XPath to target only "RequestRef"?

Sample XML

<?xml version="1.0"?>
<Sag:EventLogList xmlns:Sag="urn:swift:sag:ns_Sag">
 <Sag:EventLog>
  <Sag:LogSysTime>01/07/2024 14:09:50.8020</Sag:LogSysTime>
  <Sag:LogSequence>15953137</Sag:LogSequence>
  <Sag:ApplicationId><![CDATA[fin_xxxxxxxx]]></Sag:ApplicationId>
  <Sag:LogCorrelationId>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Sag:LogCorrelationId>
  <Sag:PlugInName>Sag:SN-I</Sag:PlugInName>
  <Sag:EventNumber>1000</Sag:EventNumber>
  <Sag:EventName>SNL request primitive received</Sag:EventName>
  <Sag:EventSeverity>Information</Sag:EventSeverity>
  <Sag:EventClass>Message</Sag:EventClass>
  <Sag:LogUnitName>None</Sag:LogUnitName>
  <Sag:LogMessage><![CDATA[SNL request primitive received.
Received from Application : fin_xxxxxxxx (Interface : Sag:APL-I)
Primitive : ExchangeRequest
Payload size : 353

Requestor: cn=xxxxxxx,o=xxxxxx,o=swift
Responder: cn=xxxx,cn=fin,o=swift,o=swift
Service: swift.fin
RequestType: DATA
Priority: 
RequestRef: 001025F01LAFBLYLTAXXX0795275654
RequestControl: <SwInt:RequestControl>
<SwInt:RequestCrypto>FALSE</SwInt:RequestCrypto>
<SwInt:NRIndicator>FALSE</SwInt:NRIndicator>
<Sw:ReturnSignatureList>FALSE</Sw:ReturnSignatureList>
</SwInt:RequestControl>
]]></Sag:LogMessage>
  <Sag:LogProcess>sagpi_sni</Sag:LogProcess>
  <Sag:RecordVersion>0</Sag:RecordVersion>
 </Sag:EventLog>
 <Sag:EventLog>
  <Sag:LogSysTime>01/07/2024 14:11:05.1310</Sag:LogSysTime>
  <Sag:LogSequence>15953659</Sag:LogSequence>
  <Sag:ApplicationId><![CDATA[fin_xxxxxxxx]]></Sag:ApplicationId>
  <Sag:LogCorrelationId>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Sag:LogCorrelationId>
  <Sag:PlugInName>Sag:SN-I</Sag:PlugInName>
  <Sag:EventNumber>2000</Sag:EventNumber>
  <Sag:EventName>SNL response primitive sent</Sag:EventName>
  <Sag:EventSeverity>Information</Sag:EventSeverity>
  <Sag:EventClass>Message</Sag:EventClass>
  <Sag:LogUnitName>None</Sag:LogUnitName>
  <Sag:LogMessage><![CDATA[SNL response primitive sent.
Sent to Application : fin_xxxxxxxx (Interface : Sag:APL-I)
Primitive : HandleRequest
Payload size : 122
SwiftRequestRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SwiftRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Requestor: cn=xxxx,cn=fin,o=swift,o=swift
Responder: cn=xxxx,o=xxxxxx,o=swift
Service: swift.fin
RequestType: SIGNAL
Priority: 
RequestRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
]]></Sag:LogMessage>
  <Sag:LogProcess>sagpi_sni</Sag:LogProcess>
  <Sag:RecordVersion>0</Sag:RecordVersion>
 </Sag:EventLog>
</Sag:EventLogList>

my current parser : 

# ArcSight FlexConnector XML File Reader Configuration
# Configuration for parsing XML files

# Namespace
namespace.count=1
namespace[0].prefix=Sag
namespace[0].uri=urn:swift:sag:ns_Sag

# Hop Nodes
hop.node.count=1
hop.node[0].name=EventLogList
hop.node[0].expression=/Sag:EventLogList

# Trigger Node
trigger.node.expression=//Sag:EventLog

# Token Count
token.count=25

# Tokens
token[0].name=LogSysTime
token[0].type=TimeStamp
token[0].format=dd/MM/yyyy HH:mm:ss.SSS
token[0].expression=Sag:LogSysTime

token[1].name=LogSequence
token[1].type=Integer
token[1].expression=Sag:LogSequence

token[2].name=ApplicationId
token[2].type=String
token[2].expression=Sag:ApplicationId

token[3].name=LogCorrelationId
token[3].type=String
token[3].expression=Sag:LogCorrelationId

token[4].name=PlugInName
token[4].type=String
token[4].expression=Sag:PlugInName

token[5].name=EventNumber
token[5].type=String
token[5].expression=Sag:EventNumber

token[6].name=EventName
token[6].type=String
token[6].expression=Sag:EventName

token[7].name=EventSeverity
token[7].type=String
token[7].expression=Sag:EventSeverity

token[8].name=EventClass
token[8].type=String
token[8].expression=Sag:EventClass

token[9].name=LogUnitName
token[9].type=String
token[9].expression=Sag:LogUnitName

token[10].name=LogMessage
token[10].type=String
token[10].expression=Sag:LogMessage

token[11].name=LogProcess
token[11].type=String
token[11].expression=Sag:LogProcess

token[12].name=RecordVersion
token[12].type=Integer
token[12].expression=Sag:RecordVersion

# Additional Tokens to split LogMessage
token[13].name=SenttoApplication
token[13].type=String
token[13].expression=substring-before(substring-after(Sag:LogMessage, 'Sent to Application : '), '\n')

token[14].name=ReceivedfromApplication
token[14].type=String
token[14].expression=substring-before(substring-after(Sag:LogMessage, 'Received from Application : '), '\n')

token[15].name=Primitive
token[15].type=String
token[15].expression=substring-before(substring-after(Sag:LogMessage, 'Primitive : '), '\n')

token[16].name=PayloadSize
token[16].type=String
token[16].expression=substring-before(substring-after(Sag:LogMessage, 'Payload size : '), '\n')

token[17].name=Status
token[17].type=String
token[17].expression=substring-before(substring-after(Sag:LogMessage, 'Status : '), '\n')

token[18].name=SwiftRequestRef
token[18].type=String
token[18].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRequestRef: '), '\n')

token[19].name=SwiftRef
token[19].type=String
token[19].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRef: '), '\n')

token[20].name=SwiftResponseRef
token[20].type=String
token[20].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftResponseRef: '), '\n')

token[21].name=Requestor
token[21].type=String
token[21].expression=substring-before(substring-after(Sag:LogMessage, 'Requestor: '), '\n')

token[22].name=Responder
token[22].type=String
token[22].expression=substring-before(substring-after(Sag:LogMessage, 'Responder: '), '\n')

token[23].name=Service
token[23].type=String
token[23].expression=substring-before(substring-after(Sag:LogMessage, 'Service: '), '\n')

token[24].name=RequestType
token[24].type=String
token[24].expression=substring-before(substring-after(Sag:LogMessage, 'RequestType: '), '\n')

# Conditional Mapping using token
conditionalmap.count=1
conditionalmap[0].token=EventNumber  # Assuming EventNumber is the token to evaluate
conditionalmap[0].mappings.count=2

# Mapping for EventNumber=2000
conditionalmap[0].mappings[0].values=2000
conditionalmap[0].mappings[0].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n')

# Mapping for EventNumber=1000
conditionalmap[0].mappings[1].values=1000
conditionalmap[0].mappings[1].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n')

additionaldata.enabled=true
trim.values=true
trim.tokens=true

# Event Mappings
event.deviceCustomDate1=LogSysTime
event.deviceCustomDate1Label=__stringConstant(LogSysTime)
event.deviceCustomNumber1=LogSequence
event.deviceCustomNumber1Label=__stringConstant(LogSequence)

event.deviceEventClassId=EventNumber

event.deviceCustomString1=PlugInName
event.deviceCustomString1Label=__stringConstant(PlugInName)

event.externalId=LogCorrelationId

# event.deviceCustomString3 is set by conditional mapping
# event.deviceCustomString3=RequestRef
# event.deviceCustomString3Label=__stringConstant(RequestRef)

event.deviceSeverity=EventSeverity

event.deviceCustomString4=EventClass
event.deviceCustomString4Label=__stringConstant(EventClass)
event.deviceCustomString5=LogUnitName
event.deviceCustomString5Label=__stringConstant(LogUnitName)
event.message=LogMessage
event.deviceCustomString6=LogProcess
event.deviceCustomString6Label=__stringConstant(LogProcess)
event.deviceCustomNumber3=RecordVersion
event.deviceCustomNumber3Label=__stringConstant(RecordVersion)
event.name=EventName
event.deviceVendor=__stringConstant(SAG)
event.deviceProduct=__stringConstant(Swift)

# Mapping additional tokens
event.applicationProtocol=Primitive
event.devicePayloadId=PayloadSize
event.deviceCustomString2=Status
event.deviceCustomString2Label=__stringConstant(Status)
event.fileId=SwiftRequestRef
event.sourceUserName=Requestor
event.destinationUserName=Responder
event.requestContext=RequestType
# event.deviceCustomString7=Service
# event.deviceCustomString7Label=__stringConstant(Service)
event.sourceProcessName=SenttoApplication
event.destinationProcessName=ReceivedfromApplication

severity.map.veryhigh.if.deviceSeverity=Severe,Critical,Fatal
severity.map.high.if.deviceSeverity=High,Major
severity.map.medium.if.deviceSeverity=Medium,Warning
severity.map.low.if.deviceSeverity=Low,Information,Info