It would help to have a more defined set of requirements as well sample input and output, but perhaps this will help.

<<your search>>
| where NOT (OU="Service IDs" AND [ | inputlookup mylookup.csv | fields src_user | rename src_user as sAMAccountName | format ]

Adjust the fields and rename commands as necessary to match your fields.

@richgalloway ,

Why we need lookup  table over here . I don't think we need it .Just I want to exclude all the service accounts from the OU="Service IDs" from an event.

You don't *need* a lookup.  You can put an exclude list directly in the SPL, but that may end up being more difficult to maintain.

...

Apart from the redundant "4738" in the macro, this code looks like it should work.  How is it failing you?

...

Debug the query by running the commands before the first | in a new query.  Verify the desired fields are present.  Add the commands up to the next | and verify the fields are still there.  Repeat the process until the fields disappear and you'll have found the source.  Post the details if you need help determining the cause.

Hi , How we can xclude service account from this event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

Here OU is multi value field.

@richgalloway 

Any suggestions on this usecase

Thanks 

Hi,

What if we get the future service accounts?

Update the lookup file as new service accounts are added or removed.