There is a catch, sometimes the user can identify itself multiple times between several id. The lookup table is not ideal made to take care of this situation, perhaps a better approach is to collect all ids ever related into a single field then select one id to represent the whole group. Needs improvement but the impact is not big

Since the free license does not seem to include report scheduler, I had to setup a crontab entry such as
0 0 * * * root /opt/splunk/bin/splunk search '|savedsearch "Job to update sp_aliases lookup"' >/dev/null 2>&1

I made a table of aliases as a multivalue field named myid

* | stats values(oldId) as myid by id | eval myid=mvdedup(mvappend(myid,id)) | table myid

Somehow I need to combine the stats in the top comment to group by any value found in myid. Still having no idea how to do it.

So using the above search I get a table like a lookup table. I would calculate a new field theId in main search based on id, if id is inside myid field in the lookup table I would return the identified id.

then I could group events by the new theId field.

However implementing such a lookup apparently required exporting the table to a csv file? Then I need to define a job to do this from time to time to update the lookup file.

So I got this step, by creating a lookup file from the search
event=sp_alias | where oldId != id | stats values(oldId) as myid by id | outputlookup sp_aliases.csv

Now I have to tune the lookup file to include everything I need and find a way to use it in the main search. Also I need to automate the above search through a job I suppose.

yes, thanks for the tip, changing both values with list helped to display the steps more clearly, even if the stats table increased.

New search have a sort too to see better the mass behavior:
host="sp.dentfix.ro" | stats list(event) as step list(eval(strftime(_time, "%Y-%d-%m %H:%M"))) as times by id | mvcombine step | stats count as num by step | sort num desc