When I have dealt with this in the past (when analyzing NYPD arrest records) I used a series of gsubs
mutate { gsub => [ "someField", "^2020-03-29 02:", "2020-03-29 03:" ] }
That only deals with the one hour. When your logs contain "2020-03-29 03:35:47.392" they may well mean "2020-03-29 04:35:47.392". It also ignores the problems when time goes back later in the year. Personally I only cared whether arrests were recorded in the right month, so an hour with twice as many events as it should have had, and an hour that had no events did not bother me.