forensicmatt opened this issue · comments
Curious why not use
separate-json-attributes for the EvtxParserSettings?
When ever a XML element as an attribute, the JSON field will split into a
#attributes. This causes issues on many fronts. Using
separate-json-attributes setting for the parser will normalize the fields and an XML element's value will always be the field name and any element attributes will be placed under
<ELEMENT_NAME>_attributes. This prevents inconsistent field names in JSON serializations.
Some other references:
If you are open to this I can create a PR
Looks good. Now you wont have to guess when its going to be