Not sure if this is a good idea in your environment, but you could probably write a wrapper script that stops the forwarder and in the alert use the Trigger Action "run a script" that calls this script.
The problem i see is, that you would sometimes trigger this alert when there a lot of "good" events, so just a peak in "normal" events.
Maybe you can combine the amount of events with some strings that are unique for the "bad" events and only trigger the alert when both is true.
Hope it gives you an idea.
BR Ralph -- Karma and/or Solution tagging appreciated.
if you go down this path, make your life easier with a scripted alert action on your deployment server and an app for the transforms. It will automate deployment to the parsing nodes, and gives you some flexibility about where this filtering is applied.
1. Search for high volume
2. Trigger update alert script
3. Update app in deployment-apps: append to transform REGEX with offending data: just keep adding |NEW PATTERN on the end of the REGEX. If you only care about hosts then use [HOST::*] in props and SOURCE= MetaData:Host in your transform