ARK: Survival Evolved

Part 1

As many of you who game know, since Minecrafts debut in late 2011 indie games have taken over the gaming industry. One of their great benefits is the ability to host your own server at home or via something like AWS or another paid hosting service. This is a great feature for any number of reasons, and gamers love it!

I’m a Splunk guy, who likes to game. I recently purchased an older Dell Server to run my home Splunk instance. After throwing ESXi on it and realizing that my home logs weren’t enough interest for me I started thinking about other logs I could ingest as a fun use-case to expand my Splunk Skills, and have an excuse to host a game server. Browsing my Steam Library my choices came down to Rust or ARK: Survival Evolved. With Rust you spawn in naked (dangly bits and all), with a rock, on a radioactive island and do your best to survive. In ARK you spawn in with a loin cloth and nothing else, but you’re on an island with dinosaurs (think Jurassic Park) that you can tame and ride. Okay, clearly I decided to go with ARK.

Now before you jump all over me for hosting this on Windows, let me be clear this is hosted on Windows to maintain my quality of life. Reason being if you’re going to host an ARK server you’re going to to want to play the game, not JUST host it for others to play. Windows has this fantastic application called ARK Server Manager that makes life REALLY easy for anyone hosting an ARK server.


Alright, now the real reason you are here is to take your logs and make pretty pictures. First I’m going to make a few assumptions.

  1. You have a working Splunk Instance.
  2. You have a forwarder installed on your ARK Server.
  3. We will be referencing an index called ark and a sourcetype called ark. (Create the index if you haven’t already).

ARK logs are actually decent. They have a timestamp, followed by game detail.


One of the initial problems when ingesting the logs was fixing the timestamp. More on this later.

Next we’ll need to configure the inputs.conf on the forwarder side. Which is really just identifying the ARK logs and putting a proper stanza in the inputs.conf. We’ll also need to ingest the perfmon logs from your Windows ARK server. Shown below is my inputs.conf, take note to the path of the last stanza and be sure to enter your proper ARK log location:

Next we’ll need to change a few things in the props.conf to extract fields properly. I’ll say here that my Regular Expressions (REGEX) are a bit off, but for the dashboard created it gets the job done. I’ll be updating later as I have time to perfect my REGEX. Additionally I noticed that the ARK server by default sets the timezone to GMT+00:00. I had to note this in the props.conf.

Now that that is configured you can start building out your dashboard!

My top level dashboard that gives me all the information I need at a glance looks like this:

And the code:


I plan to make the Splunk queries better, and of course perfect the REGEX. Feel free to borrow my code and add to it. This has been a great learning experience for me as I actually have vested interest in the logs I’m Splunking. I highly recommend something like this to anyone wanting to learn Splunk, especially if you are a gamer. Stay tuned, more to come at a future date!


Haven’t purchased ARK: Survival Evolved yet and want to help support this site? Consider using the Following link:

Share This: