We are facing a situation in which it seems someone updated high number of row in one of the large table. Based on last update timestamp in table, it seems those updates happened three weeks back but user id columns is not updated.
We want to know which user id was used for this update and also preferable to get IP address of system that submitted update statement.
You can get such an information from the transaction logs for the time when the changes were maid. But if you have "data capture changes" attribute was set for your table or you had db2_logging_detail registry variable set to AUTHID value.
IP address is not recorded in the logs anyway unless you had some corresponding monitoring active at the time of changes.
To dig into transaction logs you should use some SW using db2 read log API like IBM Recovery Expert, for example.
Comes down to this: how much money is it worth to pay to find out ?
Got a Comprehensive database-enforced security model?
Got comprehensive application logging, retained long enough to cover the period of the bulk update
Got db2diag* for the period of the update?
Got comprehensive scheduled-job records?
You may find that a shared-ID was responsible for the update, meaning you might not be able to deduce which real end user triggered the updates (if there was one).