AFAIK that is not possible through some configuration parameter specifically designed for this purpose.

However, there might be some ways to get near what you're after.

1) Use a forwarder of the occasionally misbehaving host, and set a cap on the network bandwidth it can utilize. It will require some tuning to get to the right number, so that you don't inadvertently throttle your known good traffic. See http://splunk-base.splunk.com/answers/29538/maxkbps-option-and-limiting-a-forwarders-rate-of-thruput

2) Set up a scheduled search - say every 5 min - for number of events and alert if there are above a certain threshold.

index=myindex host=myhost sourcetype=mysourcetype earliest=-5m | stats c

3) As for deleting, hopefully you can identify the messages based on content and/or timestamp, and use the delete command.

With a little luck and timely investigation of the alerts generated, you'll be able to stay under your license limit.

ALTERNATIVE:

If the unwanted error messages contain a unique signature that does not occur otherwise, you can set up a nullQueue for those on the indexer. This will not work in conjunction with the steps outlined above, as events sent to the nullQueue are not indexed, and there would thus be little point in throttling the forwarder (remember, the reason for throttling was to avoid license violations).

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events...

If you have a heavy forwarder, you will have to do the nullQueueing there instead.

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian