Yeah so I think there is a logical problem of how I am setting the date. Because when I am on Kibana and select last 15 minutes its behind 4 hours. So its really not "last 15 minutes". I think its the conversion of UTC to EDT. Here is a flow:
message (EDT) => logstash (america/new york) => Kibana (EDT)
So should I change the @timestamp field to UTC? I have it as america/New york when it does through logstash.
This means there will be a 4 hour gap between when the messagetime and @timestamp field when viewed on kibana.