Using the HTTP OMS Data Collector API for real-world scenario’s–Part 3
This is the third part in this using the HTTP OMS Data Collector API for real-world scenario’s series. In the first part I explained the how the Log Analytics HTTP Collector API works and how we could use PowerShell to get some Stock price data in the correct format.
In part 2 I explained how to use an Azure Automation Runbook to retrieve Stock Price data and send this data to the OMS Log Analytics HTTP Data Collector API.
In this part I’m going to show you how can use the OMS Alerting feature to get notified when a Stock Price hits a certain threshold, that could indicate that should sell your Stock.
Alerts in Log Analytics
Alerts in Log Analytics identify important information in your OMS repository. Alert rules automatically run log searches according to a schedule and create an alert record if the results match particular criteria. The rule can then automatically run one or more actions to proactively notify you of the alert or invoke another process. You can find more information about Alerts in Log Analytics in the References part of this blog.
Scenario
In the previous blog post we have collected hourly Stock Price values for some time and have them stored in OMS.
The most basic and widely used trading alert type is called crossing. This means, “let me know when price crosses X”. A “Crossing” alert is triggered when the current price series crosses the value set when the alert was created (doesn’t matter which direction). *
Crossing Down / Crossing Up is more specific version of the Crossing alert. You get to specify whether a price is crossed in an upward move, or a downward move. *
Usage example:
“Contoso” is currently at $44.54. I think it will go down, and then back up to $42, at which point I'll buy because it's an upward trend. So, I want to know when Contoso stock price crosses $42 UPWARD.
If we look at the current “Contoso” stock price we see that the current value is: $56.2.
I used the following query in OMS Log Search on the data from the last 7 days:
[sourcecode language='sql' padlinenumbers='true']
* Type=MSFTStock_CL t_s=MSFT| measure max(l_d) by t_s interval 1Day
If we want to know what the highest “Contoso” stock price has been in the past 7 days we can run the following OMS Log Search query:
[sourcecode language='sql' ]
Type=MSFTStock_CL t_s=MSFT | select l_d, TimeGenerated | sort l_d desc | top 10
This returns the top 10 results.
If we want to know what the lowest “Contoso” stock price has been in the past 7 days we can run the following OMS Log Search query:
[sourcecode language='sql' ]
Type=MSFTStock_CL t_s=MSFT | select l_d, TimeGenerated | sort l_d asc | top 10
We know know that the highest value stored has been $57.67 and we now see a downward trend to a value of $56.21.
If I expect to see this the value drop even further and then backup to $56.5 at which point I'll want to buy because it's an upward trend. So, I want to know when “Contoso” crosses $56.5 UPWARD.
OMS Alert configuration
With OMS Alerting we are able to configure Alert notification when a certain stock price value threshold is reached.
There are different actions for Alerts you can configure in OMS:
- Email Notification
- Webhook
- Runbook
In this example we are going to create an Alert with an Email Notification. Alerts in OMS use Log Search queries to configure the Alert. You need to think about the following options to configure the Alert:
- Severity
- Search Query
- Time Window
- Schedule
- Number of results
To start creating a new Alert you first need to create a Log Search Query that returns the records you are going to use for the Alert.
Below the fields you need to configure for the Alert.
We are looking for “an upward trend for the “Contoso” stock price and a notification when the “Contoso” stock price hits $56.5” this is not something we can completely catch in Log Search query. There is not a way to see an up or downward trend using a Log Search query to my knowledge.
So we are going to create a Log Search query for daily aggregated “Contoso” stock price of $56.5. So as soon as the daily aggregated value of the “Contoso” price value is higher than $56.5 we want to receive an email to determine of we want to buy “Contoso” Stock.
If run the following OMS Log Search query for the last day it does not return any results (as expected):
[sourcecode language='sql' ]
Type=MSFTStock_CL t_s=MSFT | measure max(l_d) by TimeGenerated | where AggregatedValue > 57.50
When I change the period to the last 7 days we see that there has been time that the “Contoso” Stock price has been higher than 57.50.
We can use this Log Search query in the Alert we want to create.
Below the information on the properties you need to configure for the Alert.
| Property | Description |
| Alert information | |
| Name | Unique name to identify the alert rule. |
| Severity | Severity of the alert that is created by this rule. |
| Search query | Select Use current search query to use the current query or select an existing saved search from the list. The query syntax is provided in the text box where you can modify it if necessary. |
| Time window | Specifies the time range for the query. The query returns only records that were created within this range of the current time. This can be any value between 5 minutes and 24 hours. It should be greater than or equal to the alert frequency. For example, If the time window is set to 60 minutes, and the query is run at 1:15 PM, only records created between 12:15 PM and 1:15 PM will be returned. |
| Schedule | |
| Threshold | Criteria for when to create an alert. An alert is created if the number of records returned by the query matches this criteria. |
| Alert frequency | Specifies how often the query should be run. Can be any value between 5 minutes and 24 hours. Should be equal to or less than the time window. |
| Suppress alerts | When you turn on suppression for the alert rule, actions for the rule are disabled for a defined length of time after creating a new alert. The rule is still running and will create alert records if the criteria is met. This is to allow you time to correct the problem without running duplicate actions. |
If you new receive 2 consecutive email Alert Notifications within 2 hours you know that the “Contoso” Stock price has gone up to a value of $57.61 and that this has been the case for already 2 hours.
As soon as the threshold is reached you should see an email Alert notification to notify you to buy “Contoso” stocks.
In the last blog post in this series we are going to demonstrate how you can create a Dashboard with the collected Stock price data using the View Designer.
Hope you are enjoying this blog series.
References: