1. Yes, the remark about monitor stanza is 100% spot-on.

2. I suppose we're talking about different spot where disk usage is presented. @richgalloway is talking about what is retrieved from forwarders with a scripted input from Add-on for Unix and Linux but I think @taskmaster is refering to what's presented in Monitoring Console's instance resource screen. The latter is retrieved from the OS by splunkd itself and - to be honest - I don't recall ever seeing anything other than Splunk's filesystems. Maybe that's something specific to Ubuntu? (I don't think I've ever run Splunk on anything else than RH-derived systems)

Yes @PickleRick you are correct. Here's an example from a test VM I set up, running Windows, just to illustrate the issue. Under Overview > Resource Usage: Instance > Disk Usage on the Splunk Server, it shows the total and used disk space. In this case, the C: drive is 63.3 GB, with about 31 GB in use, as shown in the screenshot below.

My concern with our Ubuntu build (noted in the original question) is around /proc, which is a virtual filesystem and doesn’t actually take up real disk space. However, Splunk seems to include it under resource usage, which could lead to inaccurate reporting especially if Splunk is interpreting virtual usage as real disk usage.

That’s why I wanted to blacklist /proc: to ensure only actual disk utilization is shown, excluding virtual filesystems that don’t reflect real storage use. I understand now that this is not a valuable solution but wanted to hopefully find something.  I hope this makes sense and thanks everyone for the feedback.

Thanks for the feedback, I’ll definitely give that a try