I can say from recent experience in 2017 on Splunk 6.5 that the buckets will roll from warm to cold, even if the cold volume and warm volume are the same.

A customer maximized their disk space, and the indexer stopped writing to disk. They reduced the maxVolumeDataSizeMB setting on the cluster master, and redeployed the bundle to the indexers. Through the monitoring console, we can instantly see the warm bucket size and usage decrease, and the size of the cold bucket increase usage increase. We also validated by looking at the filesystem.

The old data was NOT frozen!

This seems to contradict you.

When a volume containing warm buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to cold. When a volume containing cold buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to frozen. If a volume contains both warm and cold buckets (which will happen if an index's homePath and coldPath are both set to the same volume), the oldest bucket will be rolled to frozen.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Configureindexstoragesize#Configure_index_...

oops. 2nd part of the dirname, but the 1st epoch. my bad. corrected above already.

You need to define a frozen path, so that splunk knows where to put them (and not delete them). However, once they are frozen, they are no longer searchable, as only the raw data, and not the tsidx files are retained.

You can figure out which of the buckets that are likely to be frozen.

This will require that you find the size reduction / bucket size number of buckets and move them manually. In your case that could be (400 GB / 10 GB) ~40 buckets, but you should probably take a few more. Take the 50 buckets with the lowest values of X, where X is the 1st epoch timestamp part of the dirname

Can I find out wich buckets are frozen and move them to cold?