Sorry about that...

Here is the item prototype: pfsense.value[openvpn_server_uservalue,{#UNIQUEID},user_name]

Here is the current trigger prototype: {Template pfSense Active OpenVPN Server User Authfsense.value[openvpn_server_uservalue,{#UNIQUEID},user_name].last()}<>0

I am still working on the best way to do this. I changed from using the trigger prototype to creating an item and trigger normally.

Item:
log[/var/log/openvpn.log,"(.*)(?<=authenticated)",,,skip,\1]

My goal is to just extract the user name from before authenticated. That part works.

Trigger expression:
{Template pfSense Active:log[/var/log/openvpn.log,"(.*)(?<=authenticated)",,,skip,\1].last(#1)}=1

I have also tried:
{Template pfSense Active:log[/var/log/openvpn.log,"(.*)(?<=authenticated)",,,skip,\1].str(,#1)}=1

I would like to have this trigger if the event occurs in the last 1 minute. Later I can add the time conditions. What appears to be happening is that my trigger is parsing the entire openvpn.log for any occurrence of the event rather than in the last 1 min. So a trigger will fire and say X user has connected. But if we check the firewall and look, that user hasn't logged in at that time but they did in the past. If we clear the event, it will trigger again.

How do I go about resolving it so that it will only trigger for the current entries in the log? Weirdly enough, I have the same type of item and trigger for auth.log looking for other logins and those work properly.

{Template pfSense Active:log[/var/log/auth.log,(index.php: Successful login for user)(.*),,,skip,\2].str(,#1)}=1

I'm sure I am doing something incorrectly. Any suggestions?

your trigger conditions could be nice to see. Kind of hard to fix something we don't see...
but something like"... and (item.time()>170000 or item.time()Other should probably be " ... and (item.time()>080000 and item.time()