logstash and elasticsearch always store timestamps as UTC. sprintf references will always be in UTC. If you want the sprintf references to be in another timezone you will have to lie to logstash about what timezone [@timestamp] is in. (And note that sprintf references use [@timestamp], not whatever field the date filter is using.)