First thing that comes to mind would be some authorization.conf mismatch which prevents your search head user from accessing the data. Are you using the same user (and role setup etc.) when searching directly on the indexer?
Regarding the unexpected fields: unless explicitly configured otherwise, Splunk will automatically detect key=value pairs in your data. If you don't want that, you need to configure the respective sourcetype with KV_MODE=none (in props.conf).