It seems like you have probably have multiple typos in the information you provided. The "key" you show doesn't match the item part of the expression in 2 different ways:

1. Information is in a different field (2nd field in key, which is probably wrong, but 3rd field in the item part of the expression, which is probably correct)
2. the item part of the expression uses 5672, not 4672.

So, which one is actually what you're using?

Also, what happens if you anchor the regular expression for the event id, changing it to: ^4672$

Finally, the last() function probably returns the entire event, not just the event id, so matching just against 4672 likely won't happen. You probably want to look at a different trigger function. It appears that logeventid() might be exactly what you want (not sure, have not used it), but if it's not, either str() or regexp() allow you to match on partial strings in item data.

Sorry, I see the typos and here is what I really have:
key -- eventlog[Security,,Information,,4672,,all]
trigger name -- {HOST.NAME}Event 4672
expression -- {MSEBCADMSMB001:eventlog[Security,,Information,,4672,,all].last()}=4672
will try logeventid().
thanks

I have tried the following with no good result.
Trigger 1 Trigger 2 Any more ideas?

My event expression started to work when changed to
event4672 eventlog[Security,.,,^4672$]
I think "Information" was not proving true in the expression.
I cannot seem to formulate a trigger which will fire more than once (or have I stumbled on the right expression and then undone it?).
I can see the item captured in the "latest data" window.