Let me add a simple idea that matches (in a limited way) how tools like SEC operate. Allow extraction of a key within the eventsource definition (this is the "desc" field in SEC, the thing that correlates different events). With this, we can then place linked/correlated events into a single bucket so that each new one is not considered new unless the bucket has aged out. Keeping a counter of those hits would also be handy. Ultimately, the right solution involves much more complexity, but as it stands getting alerts on eventsources is a giant PITA, yet there are times you really want to get them as alerts.
Thanks,
Mark