I also have a lookup which is being updated but the user is n/a. It's a csv lookup. I cannot find any relevant occurrences of outputlooup before the update event.

What other ways than using outputlookup could there be which resulted in the lookup being updated?

you can use this search to look for any lookup edits that were logged to the _internal log

index=_internal "Lookup edited*" sourcetype=lookup_editor_rest_handler | table _time namespace lookup_file user

It will output the time it was saved, the app/namespace it was in, the filename and the user that saved it

This does work, in general. However for a specific time when we know the lookup was edited I can see no results. The use case is that a user added billions of events to a file lookup which broke SH replication. I want to find out which user.

I can see the lookup update action in the _audit index but the user is "n/a". I cannot find any corresponding searches with outputlookup nor any entries using the query against the _internal index.

you might be able to narrow down which users were on the system at the time (also any searches that might have done it even if scheduled) by running

you might have  a lot of "internal_observability" user hits that you can exclude, but then it should be broken down into actions of success or search, the search should show if any user had an outputlookup mess up the lookup file, and any of the success should just be people logging in/opening a new tab.  It might not be a smoking  gun but it will narrow down who could have  done it.