I was able to finally get this to set the correct time by using a very round about way.
mutate {
add_field => [ "received_at", "%{@timestamp}" ]
}
grok {
match => { "received_at" => "%{TIMESTAMP_ISO8601:timestampNoZ}Z" }
}
date {
timezone => "America/New_York"
match => ["timestampNoZ", "ISO8601"]
}
mutate {
remove_field => [ "received_at", "timestampNoZ" ]
}
While I am sure that this can be cleaned up, it does work in getting the timestamp to be adjusted to the correct value.