I also tried with comma, still Error 403

With basic authentication and without authentication with an external generate session id

Does your web server have logs to tell you the specific reason it is issuing a 403 response ?

it reports only a invalid session id, but only if i try to access via splunk, via firefox it works.

When I run the following script, I get a value back, API still not running:

SERVER="192.168.178.1"
PASSWORD="secret"

challengeRsp=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/login_sid.lua" 2>/dev/null)

challenge=$(echo $challengeRsp | sed "s/^.//" | sed "s/<\/Challenge>.$//")

if [[ -z $challenge ]]; then
echo "No challenge found"
exit 0
fi

challenge_bf="$challenge-$PASSWORD"
challenge_bf=$(echo -n $challenge_bf | iconv -t UTF-16LE | md5sum - | cut -c 1-32)
response_bf="$challenge-$challenge_bf"

url="http://$SERVER/login_sid.lua"

sidRsp=$(curl --header "Accept: text/html,application/xhtml+xml,application/xml" \
--header "Content-Type: application/x-www-form-urlencoded" \
-d "response=$response_bf" \
$url 2>/dev/null)

sid=$(echo $sidRsp | sed "s/^.//" | sed "s/<\/SID>.$//")

regex="^0+$"
if [[ $sid =~ $regex ]]; then
echo "Invalid password"
exit 0
fi

IFS=' '
stats=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/webservices/homeautoswitch.lua?ain=087610156436&switchcmd=getswitchpower&sid=$sid" 2>/dev/null)

echo $stats

paste your actual stanza from inputs.conf

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[blacklist:$SPLUNK_HOME/etc/auth]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

I can not see your rest://xxxx stanza there.

Try looking under a local directory in another app context. Or searching for it at the command line with find / grep etc...

Thanks for your fast answer.

An authentication is required and is maintained by an session id (SID). I used the one from the browser to double check.

With basic authentication or sid I get the following error code:

" ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden"

When I tried without sid and authentication I also get an Error 403, so it seams that the authentication is not working in general.

Do you have any hint?

Thx
Christian

Do you have any hint?

Thx
Christian